+
+Model
+=====
+
+ITKACL is a hierarchical system. If you have access to /web/foo, you also have
+access to /web/foo/bar (unless there's a negative ACL entry for you on /web/foo/bar).
+However, access to /web/foo does not give you automatic access to /web.
+
+Every object (e.g. /web/foo) has a list of ACL entries, saying who will be granted
+or denied access to the given resource. "Who" means either a username, a UNIX group
+(fetched through NSS, which often but not always will get information from /etc/group),
+or the special group "<everyone>", which includes all users ITKACL knows about at
+sync time.
+
+Grant is processed before deny, so deny takes precedence within the same list.
+(The web interface sorts this properly.)
+
+
+HOWTO
+=====
+