Hyland Connect

The public-services-security-context.xml file is NOT where you grant permissions to anyone. This defines the service level checks that will be performed for ANY invocation on ANY node / item passed as a parameter. The way you have outlined in your 2nd question actually RESTRICTS the operation to only members of the GROUP_MY_COMPANY_ACCOUNT. No one else would be allowed to add an aspect to a node, which would effectively break your Alfresco system (virtually everything has something to do with aspects under the hood).

As to your 1st question. ACL_ITEM is a special variant of ACL_NODE. This operation requires that a method has a very specific signature (composed of NodeRef and Map or QName). Additionally it will only pass judgement if the operation is used to change the owner. If no owner change is attempted the check will abstain (yield neither a positive nor negative permission check result).

As a general rule, you should (almost) NEVER change anything permission related in *-context.xml files. You can define NEW permissions via a permissionDefinitions.xml that is referenced from a *-context.xml, but that is not a very common use case. Granting permission is almost ALWAYS done exclusively via the Share UI, Java or JavaScript APIs (PermissionService or ScriptNode.setPermission).