It is assumed that the system has a data owner/data manager/system admin who configures the access controls
The goal is to restrict access to users who need to access/modify the information
Admins should use the principle of least privilege

Object: Files, Directories, etc.
Subject: Users

Access Control Matrix

Utilizes a 2D matrix to maintain the access control detail for each object and subject
Object subject pairs that do not have access control are represented as empty cell

Advantage
Straightforward way to implement access control

Disadvantage
This approach results in a very big matrix on modern systems which is going to be impossible for system administrators to configure

Access Control List

Compresses each column of the Access Control Matrix into a single list
Object subject pairs that do not have blank access control are not included

Advantage
Smaller size compared to Access Control Matrix. The size of each ACL will be equal to the no. of non-empty cells in the Matrix
The ACL can be stored along with the object as metadata

Disadvantage
No easy method to enumerate all the access controls for a subject. Every ACL list will need to be searched for the entry of the subject