For any resource that does not have it's own ACL, the WebAC authorization module will look in the parent container until it reaches the root resource. If there is no user-defined ACL for the root resource, then the repository will use a "backstop" ACL defined outside of the repository. The A default "backstop" ACL is included in the fcrepo webapp.
...