create-file-mode user,group,permission-bits mkdir-mode user,group,permission-bit
Any of the 3 supplied value may be replaced by a dash (-). In this case the value is taken from the call made by the client program. the default creation mode is -,-,-.
Those commands may be placed at 3 places in an ..acl file. They may be outside of any "file" directive. They represent the global default. They may be defined inside a file directive, but outside a context directive. They represent the default for a given file pattern. They may also be defined within a context directive, overriding any default.