ACL-enabled files and folders have a mask defined whose default permissions are the group permissions for the file or folder. The mask is the maximum allowable permissions granted to any user on all ACL entries and for Group basic permissions. It does not restrict Owner or Other basic permissions. For example, if a file's mask is read-only, then you cannot create an ACL with write or execute permission for a user without changing the mask value.
Use the mask as a quick way to limit permissions for users and groups.