Subsequent system accesses by that application are restricted by the permissions of that object and not the user identify.
Objects have a sub-user id and their own (presumably reduced) set of access rights.
See Figure 3 for example.