Thanks for your infos. A fixed child node doesn’t meet the requirements in detail. So the custom node type seems to be the method of choice here. I will also have a look at the ACL package later. Thx.
Is there a particular reason why there is no privilege matcher for a single (document) node?