The privilege specification is the second part of an Access
       Control List (ACL) entry. The privilege specification controls
       the access changes the user inherits from the parent of the
       object or directory to which the ACL belongs.

       The DMU format dictionary can make three types of changes to the
       user's list of inherited privileges:

       o  The GRANT clause can add any privileges not already acquired
          by the user and not banished previously.

       o  The DENY clause can remove any privileges the user had to the
          parent directory.

       o  The BANISH clause can deny a privilege to a directory or
          object. A privilege banished by the ACL of a directory can
          never be granted by any entry in the ACL of any descendant in
          that directory.

       The CDO format dictionary can either grant or deny privileges to
       dictionaries or objects:

       o  The GRANT clause can give any privilege. You must grant a
          right for the user to have that right. Any privilege not
          specifically granted is denied.

       o  The DENY clause can specifically deny any privilege. Since
          the user is denied all access rights not specifically granted,
          you don't have to specify this clause. If you specify only
          this clause, any privilege not denied will be granted. If you
          specify both GRANT and DENY, privileges will be granted and
          denied in the order specified and any privilege not listed
          will be denied.