There are two special types of entries that are used as masks over other entries. Mask ACL entries establish maximum permissions that can then be granted to particular users named in ACL entries. In access control lists, only permissions given in one or more ACL entries and in the applicable masks are granted. For example, if an ACL entry specifies rwx permissions, and the mask applied to the ACL entry specifies only the r permission, only the r permission is granted.
There are two ACL masks: the unauthenticated mask and the general mask. The unauthenticated mask entry type is applied to the permissions allowed to an unauthenticated request by a user. You can have only one unauthenticated mask entry on an ACL. Usually, the unauthenticated mask is applied over the entry type All Other Users. The absence of the unauthenticated mask prohibits any access by unauthenticated users.
The general mask, if it exists, applies to all entry types except object owner and home cell entries. You can have only one general mask entry on an ACL. The absence of the general mask places no limits on the access that can be granted to a user.