When a thread attempts to use a securable object, the system gets the user and group SIDs from the thread's access token. The system checks the object's DACL, looking for ACEs that apply to these SIDs. The system checks each ACE until access is either granted or denied or until there are no more ACEs to check. Conceivably, an ACL could have several ACEs that apply to the token's SIDs. And, if this occurs, the access rights granted by each ACE accumulate. For example, if one ACE grants read access to a group and another ACE grants write access to a user who is a member of the group, the user can have both read and write access to the object.
The following illustration shows the relationship between these blocks of security information: