A user is said to operate in a domain. The domain is a collection of access rights to the system's resources. If the user requests access to a resource, then he/she is granted access if and only if the specific access right is in that user's current domain.
An access matrix is a matrix with domains in the rows and resources in the column. The element in row i and column j contains the access rights for resource j in domain i. The operating system uses the concept of the access matrix to grant access rights to resources. It simply checks the element in the resource's column, and the user's domain's row.
Capabilities are attractive, because if done right, they make the job of granting resources extremely efficient. Their major drawback is that they are hard for the operating system to manage if the access matrix needs to be changed.