Yes I was wrong in calling them additive, as they are purely ACL style top down evaluation. Which as you said, is well understood algorithm if you ever touched a firewall or similar security appliances.
And again: RBAC is entirely distinct algorithm, and we have a design document on how to implement it side-by-side within the current ACL algorithm. I’d be glad to share it with you BTW, even though it’s not been implemented just yet.
Back to the current ACL algorithm in ROR. The modification in the we introduced to better support multi tenancy in ROR Enterprise diverges from this well understood algorithm, yes, but only in the presence of the x-ror-current-group request header.
Now, because this header is required to properly handle multi-tenancy, and ROR PRO has no multi-tenancy, we could just avoid setting the header in ROR PRO. So ES won’t see it and the ACL will behave as before. @coutoPL am I right?