Spring Security Acl's model describes a field owner_sid
in the very same acl_object_identity
table, despite of actually still needing an ACL entry for the access to work.
What's the purpose of this field, then?
By the time this is posted, you may already have your answer. I post mine for those that come.
So, owner_sid Defines who can make changes (add, remove, update) on Access Control Entries (ACEs) for the given object identity.
Let's say we have an object BANK_ACCOUNT with owner_sid pointing to Alice's SID. When Bob will try to add an ACE at the application, let's say "BOB has PERMISSION.CAN_TRANSFER at BANK_ACCOUNT with OBJECT_ID X", an authorization strategy will trigger and will check, based on owner_sid, whether or not the one that is trying to make a change is Alice. If not, abort the insertion.