The Unauthenticated Mask and ACL Checking
If an ACL manager receives an access request from an unauthenticated principal, it checks the ACL entries and applies the mask_obj mask, if available, as described previously. It then filters the resulting permissions through the mask for unauthenticated principals (entry type of unauthenticated). Only those permissions specified in the unauthenticated mask, in the ACL entry, and in the mask_obj mask (if it exists) are granted.