[eluser]Neophyte[/eluser]
As the ACL assumes it should deny access unless it finds a link set to allow i could have implemented it without the allow field in both the khacl_access and khacl_access_actions tables then when a deny command was issued for either an aco or an axo simply deleted the relevent records. However i wanted to be able to explicitly deny an ARO access to an ACO or AXO without it being assumed.
An example of where this might come in handy is in a user management system so you can see a list of users (ARO) upon clicking on a user you can see a list of all the areas (ACO) the user is and is not allowed access to along with a pool of areas for which no link exists, the same goes for when you click one of those areas to bring up a list of actions.
In short it was my personal preference