you might be able to use security groups for each child domain to allow access.
Maybe this will help..
http://community.igniterealtime.org/thread/42044
Maybe within the master AccessGroup, you can then you might be able to use the Domain Users group or similar security group for each child domain?