In the UNIX operating system, mode bits provide file system protection for file and directory objects (the general term object refers to a file or a directory). The access permissions for files and directories are set for three kinds of users: the user who owns the object, members of the group that owns the object, and all other users. The operations that these users can perform are determined by read, write, and execute mode bits.
All file and directory objects in DCE LFS filesets also have mode bits. However, the protection of such files and directories can be augmented with DCE ACLs, which allow access permissions to be defined for many different users and groups. With DCE ACLs, you can grant users six different permissions for your directories and four different permissions for your files. These permissions allow for the precise definition of access to directories and files.
DCE ACLs supplement the UNIX mode bits that are used to protect files and directories in DCE LFS filesets; they do not replace them. DCE LFS ensures that an object's mode bits and its ACL permissions are always synchronized. Note that objects in DCE LFS filesets can rely exclusively on mode bits as their sole form of protection. (See Initial Protection of a New File or Directory and Initial ACLs of a New Fileset for more information about this possibility; see ACL Interaction with UNIX Mode Bits for a description of the interaction and level of compatibility between DCE ACLs and UNIX mode bits.)
DCE ACLs are used only with objects in DCE LFS filesets. Mode bits are the only form of protection for objects in most non-LFS filesets.
More:
ACL Interaction with UNIX Mode Bits
Initial Protection of a New File or Directory
Suggested Initial ACLs for a New Fileset
Delegation with DCE LFS Objects