Thanks for your suggestion. It makes sense you would want your test User to have the least level of access possible when testing ACLs, which in my case would be a user that has no roles. I also see what it would be important to have both write and read access control rules, even though right now I'm only concerned with who can update what.