Denying Access
When you create an ACL entry for a principal or group, you grant only the permissions you specify in the ACL entry. To deny a principal all access to an object, create an ACL entry that contains a dash in place of the permissions. For example, to deny all access to user mozart, the entry would be
{user mozart -}
If you choose to deny access to a specific principal or group, select the most specific entry type available. Generally for principals this is an entry type of user or foreign_user; for groups, it is an entry type of group or foreign_group. Note that, if the principal is the object's owner or a member of the object's group, you must use the user_obj or group_obj entry types to ensure that access is denied.
To deny access to all unauthenticated users, do not create the unauthenticated mask. If this mask is not created (ACL entry type of unauthenticated), only authenticated principals can access the object. The same behavior is achieved by creating an unauthenticated mask with no permissions (or a dash in place of the permissions). This method also has the additional advantage of illustrating graphically that unauthenticated users have no access rights.