diff --git a/lib/models/acl.js b/lib/models/acl.js
index 46f4e19d..4e4a161c 100644
--- a/lib/models/acl.js
+++ b/lib/models/acl.js
@@ -406,6 +406,9 @@ ACL.checkAccess = function (context, callback) {
         return;
       }
       var resolved = self.resolvePermission(effectiveACLs, req);
+      if(resolved && resolved.permission === ACL.DEFAULT) {
+        resolved.permission = (model && model.settings.defaultPermission) || ACL.ALLOW;
+      }
       debug('checkAccess() returns: %j', resolved);
       callback && callback(null, resolved);
     });
diff --git a/test/acl.test.js b/test/acl.test.js
index a7dd15ee..76449d5f 100644
--- a/test/acl.test.js
+++ b/test/acl.test.js
@@ -213,7 +213,8 @@ describe('security ACLs', function () {
       }, {
         acls: [
           {principalType: ACL.USER, principalId: userId, accessType: ACL.ALL, permission: ACL.ALLOW}
-        ]
+        ],
+        defaultPermission: 'DENY'
       });
 
       ACL.create({principalType: ACL.USER, principalId: userId, model: 'Customer', property: ACL.ALL,
@@ -243,6 +244,18 @@ describe('security ACLs', function () {
               }, function(err, access) {
                 assert(!err && access.permission === ACL.ALLOW);
               });
+
+              ACL.checkAccess({
+                principals: [
+                  {type: ACL.ROLE, id: Role.EVERYONE}
+                ],
+                model: 'Customer',
+                property: 'name',
+                accessType: ACL.READ
+              }, function(err, access) {
+                assert(!err && access.permission === ACL.DENY);
+              });
+
             });
           });
         });