Add an ACL template "authenticated" which permits access to any authenticated user, which seems like it would be a reasonable use case.
adds ROLE_USER as a default system role for any authenticated user (in addition to ROLE_USER_userid), so the authenticated ACL template gives read access to ROLE_USER.