I wonder if complete ACLs or only their Access Control Entries (ACE) should be inherited.
It would be simple if the children replace the whole ACL, but it would be limitting if only an additional ACE should be added.
If ACEs can be inherited, I think I would need negative rights, because otherwise all rights beginning from the root ACL would be accumulated. Right?
ACE inheritance and negative rights would add a lot flexiblity but could also lead to hard to understand security restrictions. I'd like to avoid negative right on the one hand, but on the other hand a system could become hard to maintain because of their absence (through otherwise needless duplication of ACLs).
So what to do? Inherit only complete ACLs or inherit ACEs? Add negative permissions or not?
Provisional Solution: Since nobody had an idea, I decided to use inheritance on access control entry basis. Negative permissions wouldn't be required to do this, but I'll implement them to achieve greater flexiblity.