Multiple AclPrivilege on a given type


What is the behavior if there are more than one AclPrivilege defined with different expressions for a given type?


AclPrivileges are rules which populate the ACL (access control list) on a particular object. When multiple AclPrivileges exist, the union of their produced ACLs is the effective ACL.

Basically, if any AclPrivilege gives you access to an object then you have access; its an OR relationship in other words.


OK then how about the other fields (canUpdate, canRemove, canModifyAcl) from AclPrivileges?
How are they combined? is it OR too? I would said yes i.e. get the most priviledge.