Hi Sailesh

The <sys_table>.(none) is a row level ACL, whereas the <sys_table>.* is a wildcard field level ACL. ACLs are evaluated row level first checking most specific to least specific, then field level checking most specific to least specific.

So, if any row levels exist, at least one must evaluate to true, or else the user cannot write to any field on the table, and it will check for row levels at the root table first, then each parent table.  If no row levels exist, the default is true (has access). 

If row level passes, and if any field levels exist for a particular field, at least one must evaluate to true, or else the user cannot write to that field. This is checked at the root table first, then each parent table. If no field levels exist for a particular field but a wildcard exists, at least one <sys_table>.* must evaluate to true or else the user cannot write to that field. Wildcards are checked at the root table first, then each parent table. If no field level or wildcard field level exists, the default is true (has access).

So for example say you have:

• incident.none - returns false
• incident.* - returns true

Then the user can't write to any field because row level returned false.

If you have

• incident.none - returns true
• incident.* - returns false
• incident.number - returns true
• task.priority

Then the user could write to number and priority but not the other fields that don't have a more specific field level ACL than '*'.

If you have

• task.none - returns false
• incident.* - returns true

User would still not be able to write to any field without an 'incident.none' that returns true, since row level supercedes field level, and lack of ACL at the root table means it will check parent tables.

A long-winded explanation I know, but I hope this helps you with all your ACL troubles!