Why does a spring-security ACL have an identifier?

I'm trying to set up our custom version of spring-security but I can't quite understand why an ACL has an identifier that is even supposed to be a primary key if, as I understand it, an ACL itself is never persisted directly in any way but is rather a view on a subset of ACL_Entrys.

As far as I understand it, an ACL is an access control list. Meaning a list of SIDs having Permissions for OIDs. Right?

The underlying datastructure used by spring-security defines a开发者_如何学运维n SID and an OID (in combination with a Class identifier). Those two together with a permission and the granting flag are called an access control entry or ACE and get persisted inside the acl_entry entity.

Inside the application I ask spring-security(or rather my own implementations of their interfaces) to get me all permission settings for a set of OIDs and SIDs and the result is a list contrived of SID-OID-permission-granting entries (aces) and thus called access control list. Now really I don't see how or why any kind of id comes into play here.

Am I missing something importand?! Please help me understand!

Is it maybe that one SID has a number of OID+permission+granting entries and thus is owner of its ACL? Or one OID has its SIDs and their permissions assigned to grouped into one ACL?

Also: What's all this hierarchy and parent stuff supposed to do? I guess it has to do with my identifier question, but I don't really see how acls can ber hierarchycal, if an acl is just a temporary subset. And why would I want to have a hierarchy betweens acls anyway?

Edit:

Appearently the solution to half my question is: An ACL is identified via the OID's primary key as one ACL always shows how that Object can be accessed.

However I still wonder why I would need a hierarchy or an owner for that matter.