NOTE: The object's owner and home cell entry types are not filtered by the general mask.
The last thing that is checked in the ACL checking procedure is the general mask. When the application server finds the entries that match the requesting user, it looks at the permissions in the entries and at the permissions in the unauthenticated mask, if applicable, and the general mask, if one exists. Before the server grants any permissions, it filters the entry permissions through the general mask. Only those permissions named in the ACL entry and in the mask are granted.
See ACL Checking and the Unauthenticated Mask for information about applying the unauthenticated mask.