We can now imagine that to bind to a resource, our Object (and Object System) will be able to negotiate actively with the environment of the object to Get Interior Views of Exterior Resources.
describes a broad spectrum of Security Models that attach service-authorizations to the entities demanding the service. These service-authorizations are appropriately termed 'Capabilities'. This is in opposition to attaching service authorizations to the entity providing the service; for example, an Access Control List that is attached to a directory and indicates 'who' may enter/read/write/etc. does not qualify as a Capability.
[…] It is assumed that if you pass a reference to another object, you're giving them full permission to do anything that object is willing to do. Security is enforced by creating 'new' objects that limit the actions (e.g. by throwing exceptions or returning without operation) when the caller attempts a blocked action. It is assumed that you can trust the Object System environment and host computer to not intentionally violate the security system.