1. First, it checks whether a profile, permission set, or OWD setting already gives the user the level of access requested.
2. If the user does not have that level of access, the system queries the object share table to see if there is a row in which the record's ID and user's ID appears.
3. Next, it queries the group membership table to identify all groups that could provide access to the user.
4. It then scans the object share table again to see if there is a row in which any of these groups has already been granted access.
5. Finally, it compares the level of access granted directly to the user with the levels of access granted to the groups the user belongs to, giving the user the least restrictive level of access.