One ACL approach I tried to take once, but the product got dropped before I could see the problems was the following:
you had a file/object, and a list of permissions/security attributes for each object. Object could be a group of objects, but group depth was not a concern. Mutiple applications (controlled by us) could access the permissions, and make decisions based on what they found. If there was a permission that they didn't understand, access was not allowed. This was a situation where we could trust the apps, and not the people. We also took the approach that permissions were subtractive. Everything started as readable/writable and access could only be removed. The nice thing about this was that it was extendable.
This isn't relevant to Novell ACL's just trying to get people's thoughts.