Permissions and roles are enforced at the node level. This is best explained by considering "Read" permission. Due to interactions with search (which indexes information at the node level) it makes sense that all properties have the same read access as the node. (If not, the values of properties could be deduced by how a readable node was found from a search on restricted properties). If you require finer grained permission for properties this can be achieved by using sub-nodes to partition those properties. Permissions that affect mutability could be enforced at the attribute level but they are not.
This quote is from wiki. Now imagine I have a document and need to add some properties with special ACL. Is it possible to create them as a sub-node as the wii suggests? and if yes how can I achieve this?
thanks very much