All entities are associated with an authorization key. In order to access an entity the user has to have access to the authorization key. The key applies to both the published and the admin entity.
Exactly what authorization keys exist and who have access to them is application specific. A convention is to have two keys: none and subject. Normally everyone is able to use the none key, so it's suitable for public content, e.g. this article. The subject key is different in the way that most users might be able to use the key, it will be different for each user. That makes it good for user private content, two users won't be able to access each other's content if it uses the subject key.
Applications can use the same facility to maintain content that should only be accessed by a group of users.