If creating an object with the VIRTUAL option, the access control list for the new object will initially be a copy of the access control list for its containing directory. If creating an object with the PHYSICAL option, the access control list for the new object will contain the DEFAULT ACL and the SYSTEM ACL. In addition, for both options, one or more entries will be automatically added to the ACL granting its creator all rights. The entry authentication type or types will be appropriate for whatever the user used to authenticate himself or herself. (Either AUTHENT KERBEROS or ASRTHOST or TRSTHOST.)
If the LPRIV option is specified for a directory, instead of this entry, only those rights needed to allow the creator to set up the directory (list, read, insert, and administer) will be added, and (if VIRTUAL was specified), only if the creator does not already have such rights through the ACL that was included from the parent directory.
If VIRTUAL was specified, the ACL for the new link will by default be empty, which means that the default rights for the directory will apply to the link.
After the ACL entries mentioned above are installed, the ACL entries specified as part of the CREATE-OBJECT command will be added to the front of the list.