Every user is allowed to define individual global or private groups of users. Global groups can also be used for administration by other users, private groups are unusable for those. In a simple scenario, one user could administrate a set of global groups for all others.
However, it is also possible to e.g. setup workgroups, where the group leader defines all group memberships, but a system wide security officer assigns all necessary access rights for this group.
If there is no ACL entry for a subject at an object, the object parent's ACL entries are used, but filtered through the object's inheritance mask. On top of all object trees, there is a default ACL for each target type. The whole inheritance scheme is similar to that of a well known traditional PC network system.
For administration, there are three special access rights: Access Control allows to grant or revoke all standard rights, Forward allows to forward the standard rights you have to others, and Supervisor allows everything. In default kernel config, the Supervisor right can never be masked out.
Like in RC model, to allow control of requests with target NONE, those requests are checked against the SCD target 'other'.
The ACL model is recommended in those cases, where the RC model role or type abstraction is not sufficient to cover all necessary access control settings. However, it is much more difficult to keep the overview of a complex ACL setup than of an RC setup.