Thanks for your reply. I am not sure if I understand it right. Lets say the ACL I get from the mentioned API call contains an ACE that only has the permission "cms:write", but not "cms:read" and not "cms:all". Can I be sure that in this case the principal has NO right to read the document?
That would mean that for example there is a permission group configured in Alfresco like you mentioned, but because the API call does the mapping to the basic cmis permissions for me (because the second argument is "true"), I dont have to deal with that.
If that is not the case I wonder how I could figure out with CMIS which users or groups have read permissions.