The authorization service grants capabilities to principals. Protected objects in the environment have access control lists (ACLs). Before access is granted to a protected object, the principal's capability is compared to the ACL and the associated permission is granted or denied.
ACL actions include create, modify, delete, and validate.