https://en.wikipedia.org/wiki/Capability-based_security

It’s like sharing google doc link. You configure the link to be read only or read/write.

Now imagine you can create as many links as you want with all possible permission combinations. Then you have a capability based system