You cannot set the permission to read a certain attribute on the one hand and the code to create a certain object class on the other hand in the sam value control entry. The reason for this is that only one scope specifier is allowed per ACE. For such methods, several different ACEs are necessary. If you try to set a part permission combination on the checkboxes, the powerful Access List Sensula editor is shown where you can configure the following ACE in detail..
Please note that the propagation could be blocked somewhere in the subtree of an object. Just deactivate the Inherit permissions from parent objects option. If you do that, xz can choose whether you keep all the inherited entries as real entries, or if you want to remove all the inherited entries from the ACL. You can easily change the propagation value.