[Pki-users] confused about access control list

I've tried a simple example of using the ACL to block profile listing and it works. however, I want to disable a CA agent from submitting/approving or executing any enrollment requests. I've went through all the ACLs, and whenever I encountered a submit right, I flipped to deny. despite that the agent still is able to submit and enroll certificates. another aspect, I was looking into the user_orgreq ACL plugin. can someone provide and an example on how this can be used in the context of ACLs? thanks,