Standard DCE ACL manager types use a common access-check algorithm to determine the permissions they grant to a principal. Access checking is executed in up to six stages, in the following order:
1. The user_obj entry check
2. The check for a matching user or foreign_user entry
3. The group_obj entry check and the check for matching group or foreign_group entries
4. The other_obj entry check
5. The check for a matching foreign_other entry
6. The any_other check
If during any stage of access checking an ACL manager type finds a privilege attribute entry that matches a privilege attribute possessed by a principal, then the manager type does not execute any subsequent stages, even though the principal may possess other privilege attributes for which there are other matching entries. See the Security Volume of the Application Environment Specification/Distributed Computing for descriptions of the algorithms used at each stage of access checking.