Usually the visibility of a package interface is determined by its position within the package hierarchy. However in special cases, when the use should be restricted, package interfaces can optionally specify access control lists to limit the range of packages that can access that interface.
The propagating interface, that is the interface that propagates part or whole of the objects, can define a new access control list. The propagated object's original access control list will not be taken into account for access through the propagated interface.
By this, the propagating interface is able to grant more legitimate permissions than the original interface because
In an Access Control List, only neighboring packages (that is the superpackage, the subpackages and the sibling packages) can be specified. Further limitation of access to each package's particular subpackages is left up to the respective package itself - through its dependency control lists.
The respective interface can be made visible to the superpackage, to sibling packages, and subpackages by specifying their name in the access control list. For sibling packages and subpackages, this makes the interface visible also to their direct and indirect subpackages. All root packages are treated as sibling packages. The ACL of a root package may contain references to non-existing root packages.
A compatibility mode with the following semantics can be activated for access control: