A user needs to have the ChangePermissions privilege / permission on the document (or inherited from the parent folder) to be able to manage the ACL.

Is there a way to set it outside of Share?

Thanks for reply.

Do you mind telling me which rest public so i I can use to set permissions?

A pu to the /nodes/{nodeId} v1 ReST endpoint allows to set permissions.

Thanks for pointing me to this endpoint. I am able to add new permissions with it now.

However, overwriting the existing inherited permissions doesn't work. Inherited permissions are: GROUP_EVERYONE, Consumer, ALLOWED. I would like to remove it or overwrite it with GROUP_EVERYONE, Consumer, DENIED.

I end up having them both set, and since ALLOWED is first on the list, it is applied first.

Is there a way to remove ALLOWED or overwrite it?

The order of the permissions does not matter. If there is a DENIED set on a level in addition to an inherited ALLOWED, the DENIED has precedence.

The only way to remove inherited ALLOWED is to disable the inheritance on that folder alltogether.

I see. 

What's the precedence in reverse situation? I.e. when DENIED is inherited and you want to enable a group to documents in child folder only?

And what happens when user is in GROUP_EVERYONE with DENIED and also in another group with "Write" ALLOWED?

Would the GROUP_EVERYONE rule overwrite the 2nd group's write access? Can user be in two different groups, one of which allows him access and the other denying him access?