Implementations described and claimed herein provide systems and methods for dynamically masking an access control list corresponding to a file system object in response to a change mode command. In one implementation, a change mode command for a file system object to change a first mode to a second mode is received. The first mode defines a first set of access rights and the second mode defines a second set of access rights. In response to the change mode command, a mask is dynamically applied to an access control list corresponding to the file system object. The access control list has zero or more access control entries defining access permissions for the file system object. The mask modifies any of the zero or more access control entries that have access permissions that exceed the second set of access rights defined by the second mode. The access control list is preserved.