Once an ACL for an object is looked up, only that ACL is used to determine the users access to that object. There is no recursive acl check on more parent ACLs. Creating an ACL may copy a parent ACL to be edited, this roughly looks like inheritance then.
ACL check are simple user:permission checked in the order given by the ACL, the first match of a query applies, there is no attempt to check any further rules.
An ACL's may contain groups and roles, these are expanded on load to the respective users / permissions giving a bigger but much simpler list.
Acls are a file consisting of lines which map users to permissions granted: USERS PERMISSIONS
Empty lines and lines beginning with a # are treated as comments.
is a comma delimited lists of user names or group names.
is a comma delimied list of actions, types, roles or some ad-hoc permission names.
Groups are just aliases for a set of users or other groups and expanded recursively.
Roles are just aliases for permissions or other roles and expanded recursively.