The ACL is tied to the particular role the user/device is assigned.
The role can be assigned either from the AAA Profile the VAP/SSID has assigned or it can be send in a RADIUS responds if you are using a RADIUS server.
From CLI you can verify the role and how the role is getting applied by running the command:
show user ip <IP ADDRESS>
Name: vfabian, IP: 192.168.1.200, MAC: 00:11:22:33:44:55, Age: 00:01:01
Role: FULL-ACCESS-ROLE (how: ROLE_DERIVATION_DOT1X_VSA), ACL: 118/0
Authentication: Yes, status: started, method: 802.1x, protocol: EAP-PEAP, server: CPPM-SERVER-1
Authentication Servers: dot1x authserver: CPPM-SERVER-1, mac authserver:
Role Derivation: ROLE_DERIVATION_DOT1X_VSA
VLAN Derivation: Default VLAN
Once you determine the role you can then do a show rights <ROLE NAME> to see what ACL are getting applied to the user-role