ACL

User's SID is the account number that Windowss assigns to the user during login.  The access token that holds the SID also contrains structures that identify the groups the user belongs to and what privileges that the user has.  Each group entry also as a SID.  This SID points to structures that describe the group's right.

The privileges section of the access token begins with a count of the number of privileges that the user has.  This section contains an array of privilege entries.  Each privilege entry contains a Locally Unique ID (LUID), essentially a pointer to the entry object, and an attribute mask.  The mask tells what rights the user has to the object.  Group SID entries are essentially the same - a privilige count and an array of privilege entries.

Object rights flow down to the lowest possible node unless overridden by another SID.  For example, if a user has read and write privileges to \temp, those rights is applicable to all sub-folders.  This applies to container such as a word document which may contains other files.