...
The db-based solution repository is refreshed from the file system. In other words, solution repository objects are created as files on the filesystem and those objects are refreshed (published) in the db-based solution repository. In the files ystem, solution repository objects have no associated ACLs--at least as far as the platform is concerned. But once solution repository objects are published to the db-based repository, they do have associated ACLs. So how did the objects get their ACLs? The answer is an IAclPublisher. There is only one IAclPublisher instance per JVM and the type of that instance is specified in pentahopentahoObjects.spring.xml.
Note that an IAclPublisher is only responsible for the initial publishing of ACLs. After the file system is initially published, the Admin > Permissions interface should be used to tweak permissions.