The API checks each security principal that is listed in the access token against each ACE in the DACL to determine whether the requested permission is allowed or denied.