The Effect of the Checking Order on Granting Permissions
You can think of the order in which the ACL entries are checked as going from most specific to least specific. For example, assume an ACL contains the following entries:
{user mahler r}
{group composers rwx}
If the principal named mahler, who is a member of the group composers, requests execute (x) access, it is denied. This happens because the order of checking specifies that all user entries (user_obj, user, and foreign_user) are checked before all group (group_obj, group, and foreign_group) entries. Therefore, the first match found by the ACL manager is the match between user mahler and the ACL entry for user mahler. Once a matching user entry is found, checking stops and the found permissions are applied. In this case, checking stops before the group entry, the entry with the more liberal permissions.