The effective rights a specific user has on an object - what the
user can actually do with the object - are determined by examining
ACEs in a specific order. The first ACE that matches both the user
and the desired access right determines whether the user has that
right on the object. An ACE matches the user if it specifies the user
or any group the user is directly or indirectly a member of. An ACE
matches the desired right if the right is listed in the ACE.
ACEs are examined in the following order:
ACEs explicitly set on the object
ACEs explicitly set on the object's parent
ACEs explicitly set on the object's further ancestors,
nearest ancestor first
At each object, ACEs are checked in ACL order (the order displayed
for an object on the Access Control page). Order can be changed among
multiple ACEs on the same object by using the up arrow and
down arrow buttons next to the ACEs.
If no matching ACE is found after all levels are examined (back to the
root or Global ACE), access is allowed by default (this is for
back-compatibility with non-ACL mode).