An object may have an Access Control List (ACL) associated with it.
ACLs determine what rights (Read/Write/Delete/Change perms) users have
on objects. Each object's ACL contains one or more Access Control
Entries (ACEs). An ACE identifies a trustee (a user or group), a set
of rights, and whether those rights are allowed or denied the trustee
on that object. In addition to the ACL explicitly set on an object,
rights may be inherited from parent objects' ACLs, as mentioned above.