I submitted an idea to remediate the validuser ACL limitations. If you agree and have a moment, I'd appreciate your voting for the idea. :-)
https://arubanetworkskb.secure.force.com/cp/ideas/viewIdea.apexp?id=08740000000LEf6
Airwave has two configuration methods: Global and Group config. The latter keeps all configuration elements separate from each master controller. This works well in enabling separate validuser ACLs for each controller group. However, it does a poor job of ensuring consistency across controller groups for things such as SSID profiles, and radio profiles, or IDS policies, etc. Thus, the Global config option is favorable.
However, with Global config, there's only one instance of the "validuser" ACL. Thus, every controller group will have to have the same validuser ACL. This scales very poorly. Aside from my own higher education environment, picture K-12 districts or even retail shops that want a consistent configuration across all their locations, but the client IP space is different. This means controller A would have to refer to client networks in its validuser ACL for controllers B through Z.
Solution? Allow admins to specify WHICH ACL is to function as validuser. Upon upgrading to an AOS version with this feature, a new command like "validuser-acl <ACL_name>" could be added, which would default to "validuser-acl 'validuser' ". We could then create different ACLs for different controller groups while still maintaining a global configuration option with Airwave.