Does anyone have any experience with configuring ACL access in LDAP?

Here is my situation. I have a couple of users that I want to have read/write access to the children of a container, but read only to the container. Here is the portion of my config that is appropriate:

# Allow CSR reps to create and delete Widget/Wonkle subitems
access to dn.one="ou=Widget,ou=Users,ou=ISG,dc=domain,dc=com" attrs=children
by dn.children="ou=CSR,ou=Admins,dc=domain,dc=com" write
by * break
access to dn.one="ou=Wonkle,ou=Users,ou=ISG,dc=domain,dc=com" attrs=children
by dn.children="ou=CSR,ou=Admins,dc=domain,dc=com" write
by * break

# Allow CSR Reps to read Users Tree
access to dn.base="ou=Users,ou=ISG,dc=domain,dc=com"
by dn.children="ou=CSR,ou=Admins,dc=domain,dc=com" read
by * break

# Allow CSR Reps to modify the children of Widget/Wonkle users
access to dn.children="ou=Widget,ou=Users,ou=ISG,dc=domain,dc=com"
by dn.children="ou=CSR,ou=Admins,dc=domain,dc=com" write
by * break
access to dn.children="ou=Wonkle,ou=Users,ou=ISG,dc=domain,dc=com"
by dn.children="ou=CSR,ou=Admins,dc=domain,dc=com" write
by * break

The first item is where I run into problems. If I comment it out, I can have the members of CSR read the children of ou=Users just fine. But they are not able to create a new child in ou=Users. If I include it, the CSR members can delete the container.

My goal is to have them be able to add children to the Widget and Wonkle branches WITHOUT the ability to delete the entire container. This already happened and had some fun restoring the database.

TIA