Page "Access control" Paragraph 104

Access control models used by current systems tend to fall into one of two classes: those based on capabilities and those based on access control lists ( ACLs ).

In a capability-based model, holding an unforgettable reference or capability to an object provides access to the object ( roughly analogous to how possession of your house key grants you access to your house ); access is conveyed to another party by transmitting such a capability over a secure channel.

In an ACL-based model, a subject's access to an object depends on whether its identity is on a list associated with the object ( roughly analogous to how a bouncer at a private party would check your ID to see if your name is on the guest list ); access is conveyed by editing the list.

( Different ACL systems have a variety of different conventions regarding who or what is responsible for editing the list and how it is edited.