When using the acl_method overwrite you must supply user, group, all ( aka other ), and mask for a complete ACL specification.

 1 2 3 4 5 6 7 8 9101112131415161718192021222324
  bundle agent main
  {
    vars:
      "acl" slist => {
                       "user:*:rwx", # System owner should have read write and execute access
                       "group:*:rw", # System group should have read and write access but not execute
                       "all:r", # All other users should have read access
                       "mask:rwx", # The mask should be read write and execute
                       "user:nickanderson:r", # The user nickanderson should explicitly have read access
                       "user:a10042:---", # The user a10042 should explicitly have no access
                     };

    files:

      "/tmp/acl/dir"
        acl => posix_acl_default_access( "overwrite", @(acl) );
  }
  body acl posix_acl_default_access( method, rules )
  {
      acl_method => "$(method)";
      acl_type => "posix";
      acl_default => "access";
      aces => { @(acl) };
  }

We can use getfacl to inspect the permissions are as desired.

1
  getfacl /tmp/acl/dir                                                

# file: tmp/acl/dir
# owner: nickanderson
# group: nickanderson
user::rwx
user:nickanderson:r--
user:a10042:---
group::rw-
mask::rwx
other::r--
default:user::rwx
default:user:nickanderson:r--
default:user:a10042:---
default:group::rw-
default:mask::rwx
default:other::r--