While there is already access control for controller actions, still data can be accessed or modified in various application aspects.
To make sure, that data is not accessed or modified without proper permissions, model-level security is added. This requires that to modify or view model, certain security level must be met. Only proper groups or users - [or any custom list]() - can read or write selection of documents.
More about ACL Rules:
Get and set filters
Additionally, even if user has permissions to data model, sometimes some properties should not be modified or viewed by user. This is place where property filter comes in.