```
@Target(METHOD)
@Retention(RUNTIME)
public @interface AccessControlList
```
Marks a method as one which returns the Access Control List for a user on a given resource
The method must have at least 2 parameters:
- The object to return an access control list for. For example, if you want to return permissions for a Calendar, then this should be a Calendar
- The current user. This is the object returned by the @Authenticate method
Milton will search up the object hierarchy to find a @AccessControlList method. The first one found which returns a non-null value will be used. Returning null indicates the method is not able to determine an ACL, so Milton will continue the search up the parents.
So if a request is made to a URL like this: /users/brad/calenars/cal1
Then if cal1 represents an instance of a MyCalendar, and @Authenticate returned an instance of MyUser, then you should have a method like this:
```
@AccessControlList public List{@literal <}AccessControlledResource.Priviledge{@literal >} getUserPrivs(MyCalendar target, MyUser currentUser)
```
But if you want to apply permissions at a higher level, say at the level of the user object, and lets say that "brad" is an instance of a MyUser object then you would have this:
```
{@literal @}AccessControlList public List{@literal <}AccessControlledResource.Priviledge{@literal >} getUserPrivs(MyUser target, MyUser currentUser)
```

Annotation Type AccessControlList