Thank you very much! This has worked. 

This does work, but it isn't very scalable. For example, in Continuous Authorization and Monitoring, there are four OOB table.none write ACLs for the different OOB CAM roles. All but the admin role have a script condition requiring the logged in user to be inserted into the respective user reference field on the record to be edited to allow the "lower" CAM roles to satisfy the ACL (ex logged in user must be inserted into the system_owner field on the Authorization Boundary record for the ACL with the cam.sys_owner as the role requirement to be satisfied). Is there not a solution that would have less technical debt than creating a table.* ACL that incorporates all of these different script conditions for each role? Also, if new roles are created to be used on this table, the table.* ACL would have to be updated every time a new role is to be given write permission (or simply the ability to attach something to the record). 

I was trying to solve the problem of how to allow an itil role user the ability to add attachments to a application table, but it took a while to wrap my head around the answer above as it wasn't clear to me. I was thinking it might need an ACL on the sys_attachments table in relation to the sn_bcp_plan table. But once I figured it out your answer made sense.

1, Create the ACL rule on the sn_bcp_plan table with (none) with only role "itil" - this allows anyone with itil role to now add attachments to a record on the sn_bcp_plan table. (I also used a filter to limit the state as well). However, this now also allows the itil user to update fields that are otherwise not locked down via other ACLs. So you need the 2nd ACL

2. Create the ACL rule on the sn_bcp_plan table with * for all the other non-itil roles that need write access to be able to update fields on this record. This "denies" the itil role user write access as the field level ACL resolution comes after the table level ACL