In this use case, a file system administrator or sub-tree owner would like to define an access policy that will be applied to the entire sub-tree. This access policy must apply not only to the current set of files and directories, but also to any new files and directories that are added later.
This use case can be addressed by setting a default ACL on the directory. The default ACL can contain any arbitrary combination of entries. For example:
default:user::rwx default:user:bruce:rw- default:user:diana:r-- default:user:clark:rw- default:group::r-- default:group:sales::rw- default:group:execs::rw- default:others::---
It is important to note that the default ACL gets copied from the directory to newly created child files and directories at time of creation of the child file or directory. If you change the default ACL on a directory, that will have no effect on the ACL of the files and subdirectories that already exist within the directory. Default ACLs are never considered during permission enforcement. They are only used to define the ACL that new files and subdirectories will receive automatically when they are created.
