Security based on access control lists (ACLs) focuses more on objects than on users (as opposed to role-based security, discussed in Item 38). The idea in an ACL-based system is that each object will have its own access control policy represented by a list of permissions stored in an ACL (Item 43). Whereas a role-based system might control whether a user in a particular role may access a set of objects in a certain way, an ACL-based approach allows each individual object to control which users can touch it and in what ways. An object typically grants permissions to groups (Item 20), and an ACL-based access check requires comparing the requesting user's groups to the permissions granted in the object's ACL. ...