Permissions and authorization of users or processes are defined according to the policies of the business. An access control policy basically specifies a set of rules that describe the methods in which a client can access a server.
Access control Matrix: An access control matrix is a simple method for the storage of access control information. It is a table in which each row represents a subject (user), each column represents an object (the object can be a file or a record etc.) and each entry is the set of access rights for that subject to that object. In general the access control matrix will be sparse, because most users will not have access rights to most objects. Every subject will, however, be mapped with every object (subject, object, rights).
This approach can provide very fine grained security control. The problem is the more fine grained the control becomes the more entries are required in the table. In a big system the table can quickly become very big and difficult to manage and slow to search.
Access control list: A different approach is to use capabilities and access control lists. The first method is to specify only the objects that a user may access. This approach is called a capability. It can be seen as a token giving the possessor certain rights to an object. The capability can be stored with the subject.
A second method is to create a list that specifies which subjects can ...