The effective rights a specific user has on an object - what the user can actually do with the object - are determined by examining ACEs in a specific order. The first ACE that matches both the user and the desired access right determines whether the user has that right on the object. An ACE matches the user if it specifies the user or any group the user is directly or indirectly a member of. An ACE matches the desired right if the right is listed in the ACE.
At each object, ACEs are checked in ACL order (the order displayed
for an object on the Access Control page). Order can be changed among
multiple ACEs on the same object by using the
up arrow and
down arrow buttons next to the ACEs.
If no matching ACE is found after all levels are examined (back to the root or Global ACE), access is allowed by default (this is for back-compatibility with non-ACL mode).