Picture a file as a locker with three keys hanging outside: one for the owner, one for anyone in the owning group, one for everyone else. Your process picks the first key that fits its badge (UID first, then GID). If that key doesn't open what you want, you don't get to try the next one — access is denied.
When basic rwx isn't expressive enough (e.g., "bob gets rw but alice only r, and nobody else can see it"), Linux hangs extra keys inside the locker door: POSIX.1e ACLs. These are managed with setfacl / getfacl.