HTTP Event Order -- Access Policy Manager

In my testing on v11.4.1 HF3 it seems even without any ACL assigned always an "ACCESS_ACL_ALLOWED" is fired. This would mean the decision step "ACL defined" does not seem to exist. I checked this with logging like the following: when ACCESS_ACL_ALLOWED { log local0.info "Event fired in session [ACCESS::session sid] on URI [HTTP::uri], ACLs assigned: [ACCESS::acl lookup ] ACL matched: [ACCESS::acl matched]" } when ACCESS_ACL_DENIED { log local0.info "Event fired in session [ACCESS::session sid] on URI [HTTP::uri], ACLs assigned: [ACCESS::acl lookup ] ACL matched: [ACCESS::acl matched]" }