Auth->allowedActions vs Auth->allow()
Use $this->Acl->allow() – documented at http://book.cakephp.org/view/1550/Setting-up-permissions – to set up the ACROs access. You can do this on a controller basis, and also on a controller/action basis.
$this->Auth->allowedActions is an array of allowed actions. Auth->allow() alters the $this->Auth->allowedActions array. If you want to be absolutely sure, in any controller, that only certain actions will be allowed, then define the array. Otherwise Auth->allow() will ADD to the existing array that may already contain values.