It’s important to keep in mind the order of evaluation for ACL entries when a user attempts to access a file system object:
1. If the user is the file owner, then the owner permission bits are enforced.
2. Else if the user has a named user ACL entry, then those permissions are enforced.
3. Else if the user is a member of the file’s group or any named group in an ACL entry, then the union of permissions for all matching entries are enforced. (The user may be a member of multiple groups.)
4. If none of the above were applicable, then the other permission bits are enforced.
Assume we have a user UserA from group GroupA, if we config a directory as following ACL entries:
According to the design spec above, userA should have no access permission to the file object, while actually userA still has rwx access to the dir.