You can place ACLs on the following object classes:
Capability
Common event flag cluster
File
Device
Group global section
Logical name table
Queue
Resource domain
Security class
System global section
Volume
Typically, ACLs are used when you want to provide access to
an object for some, but not all, users, or if you want to deny access
to specific, unprivileged users. When the operating system receives
a request for access to an object having an ACL, it searches each
access control list entry in the ACL, stopping at the first match.
If another match occurs in the ACL, it has no effect. Therefore,
ACEs granting or denying access to a protected object for specific
users should appear in the ACL before ACEs identifying broader classes
of users.