DCE ACLs also provide a mask_obj entry type that can be used to filter, or mask, the permissions granted by certain user and group entries. The ACL mask_obj entry has the following format:
{mask_obj permissions}
The mask_obj entry specifies the maximum set of permissions that can be granted by any entries except the user_obj and other_obj entries. Permissions granted by any other entries are filtered through the mask_obj; only those permissions found in both the entry and the mask_obj are granted.
The mask_obj entry can only restrict the permissions granted by another entry; it cannot extend them. When DCE LFS determines the permissions granted to a user by an entry to which the mask_obj applies, it compares the permissions granted by the applicable entry with those permitted by the mask_obj entry. DCE LFS denies the user a permission granted by the applicable entry if the permission is not included in the permission set specified with the mask_obj entry. DCE LFS does not grant the user a permission specified with the mask_obj entry but not with the applicable entry.
If an entry other than user_obj, group_obj, or other_obj exists on an ACL, the mask_obj entry must exist as well. If a mask_obj entry does not already exist when an entry other than an _obj entry is created, the dcecp acl command, which is used to modify an ACL, automatically creates one. Note that the mask_obj entry filters the permissions granted to the group_obj entry, but an ACL can have a group_obj entry without having a mask_obj entry.
Note: The rule that requires the presence of the mask_obj entry with an entry other than an _obj entry applies only to ACLs on DCE LFS objects, not to ACLs on objects associated with other DCE components. DCE LFS enforces this restriction in an effort to track Draft 12 of the POSIX standard for ACLs on file and directory objects.