I would say Access Control List is one of the way to implement Authorization .
I rem a bit of it
Access control in an OS is represented by matrix
We have a row defined for each user
and coloumn defined for physical data such as Files A , files B
Then if i have access to file A then a bit set it
and for file B if not
There is a thin line between Authorization an Access control
But what i think if they say Physical data ( it mean we are actually talking about files records and all ) Who has access to which is captured by Access Control
And Overall access is defined by authorization
But acCess control link is not usually used through tmatrIx .it takes a lot of space . Because it captures both right for all the files in a system
So instead of this a new approach was implemented called "Capabilities "
where with user we will associated all the files it can access and in which mode
If a system has A---Z files
and if i am dealing with A and B in Write mode for both
Then i will just have this information stored for it . I wont have any related to C ---Z . That why this method was more favourable over access Control ( Because in Access Control if user dont work with C---Z files also then also information about is stored by setting bit 0 )
// i have choosen system security as my final year subject . You can read Information security by Mark Stamp . Seriosusly a good book