Access-control lists are often set up to answer the obvious question "can X access Y to do Z?" but not other useful things like "What are all the Ys X can do Z to?" But this needs to be planned in from the start, or you will be sad later on.
(Twitter thread.)