If we create a new ACL, set ourselves as the owner, create the first ACE assigning some permission to some SID, and try to change the auditing flags on the ACE, the request fails in AclAuthorizationStrategyImpl#securityCheck:
https://github.com/spring-projects/spring-security/blob/f30cc9c5a94ce408f971f8822568dcf2d25c2ed6/acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java#L100-L105
Apparently ownership is enough to give away ownership to another SID or to add, update, and delete ACEs, but it is not enough to update the auditing flags on existing ACEs.
To work around this we must make our first ACE one which gives the administration permission to the owner; securityCheck will then accept our attempts to update the auditing flags on subsequent ACEs.
Is this intentional? If so, why? If not, can securityCheck be changed so that ACL ownership is good enough for auditing changes too?