Environment (aka Domain) is not using a Security Settings document and an Organizational or Explict Policy document to set ACL (and never have). However, they don't seem to be running "open" with the Default workstation ECL settings where users can update themselves either. In effect, the user is locked out of an application and cannot trust the app to do something (e.g. save, send memo, access profile, delete, etc.).
Before policies, admins could create ECL settings in the Domino Directory. When new users were set up, the settings would be used, but they are static, not refreshed when hitting the home server. To get new improved settings, the user has to hit a Refresh button (Refresh All, in IBM Lotus Notes 8.x).
To get to the ECL Refresh button:
1. File --> Security --> User Security
2. Enter password if prompted. If not, continue/skip to step 3.
3. In the User Security window, select the What Others Do option on the left.
(Note: In Lotus Notes R5, the option is its technical name Execution Control List.)
4. Click the Refresh All button to pull down the current list from the Domino Directory.
5. Click OK to save and close, and click Yes/Save again in the confirmation dialog if prompted to confirm to save the ECL updates.