You can place ACLs on the following object classes:
Capability Common event flag cluster File Device Group global section Logical name table Queue Resource domain Security class System global section Volume
Typically, ACLs are used when you want to provide access to
an object for some, but not all, users, or if you want to deny access
to specific, unprivileged users. When the operating system receives
a request for access to an object having an ACL, it searches each
access control list entry in the ACL, stopping at the first match.
If another match occurs in the ACL, it has no effect. Therefore,
ACEs granting or denying access to a protected object for specific
users should appear in the ACL before ACEs identifying broader classes
of users.
HP OpenVMS System Manager's Manual, Volume 1:... 
Security Considerations
