...
The db-based solution repository is refreshed from the filesystem. In other words, solution repository objects are created as files on the filesystem and those objects are refreshed (published) in the db-based solution repository. In the filesystem, solution repository objects have no associated ACLs--at least as far as the platform is concerned. But once solution repository objects are published to the db-based repository, they do have associated ACLs. So how did the objects get their ACLs? The answer is an IAclPublisher. There is only one IAclPublisher instance per JVM and the type of that instance is specified in pentaho.xml. For more information about IAclPublisher implementations, see ACL Publisher Details 13. IAclPublisher Node.
Note that an IAclPublisher is only responsible for the initial publishing of ACLs. After the filesystem is initially published, the Admin > Permissions interface should be used to tweak permissions.