A method, apparatus, and computer instructions for process-based access controls on computer resources to processes. An access mechanism is provided in which a specific invoker obtains an object access identity (ACI). Another mechanism is provided in which a specific object, such as a file system resource, requires a specific object access identity to obtain one of the forms of access denoted by an access control list. A process may "grant" an identifier that is later "required" for a system resource access. Objects may specify their own access requirements and permitted access modes. The granted identifier, ACI, is stored in the process's credentials once these credentials match a specific "grant" entry in the access control list. This identifier has no meaning outside of being used to make an access decision for a specific resource. When a process tries to access the object, the object's access control list is scanned for "required" entries. If a match occurs between the "required" entry's identifier and the ACI stored, access to the object is granted with access rights specified in the "require" entries.