type: 1specifies the target is an Account, and the
target: "000000000000000000000003"is the system identifier for any user in the org. So this ACL is specifying that any authenticated user can create instances of this object.
type: 4is specifying that the target is the instance Owner, and the
allow: 7specifies that the Owner is granted Delete access.
allowis not provided in the definition since create access is already implied.
type: 5is specifying the target is an access level. This means that a user with an access level of
7(Delete) to the instance can grant up to access level
6(Update) to another user via a connection.
type: 4is specifying the target is the instance owner and that the owner can grant the provider role (role _id "000000000000000000000005") via a connection. This means that any defaultAcl defined for the provider role in the object definition will be granted to the connected user for that object instance even though they may not have the provider role assigned to their user account.
type: 3is specifying the target is a role. We've created some custom roles of Manager (role _id "5532e499540b0183799b4ee5") and Reporter (role _id "58e96eb0105ddf010067046b"). In the share ACL rule, we are specifying that the Manager role can grant the Reporter role to another user for an object instance via a connection.