What Does Access Control List (Microsoft) (ACL) Mean?

In a Microsoft context, the Access Control List (ACL) is the list of a system object’s security information that defines access rights for resources like users, groups, processes or devices. The system object may be a file, folder or other network resource. The object’s security information is known as a permission, which controls resource access to view or modify system object contents.

The Windows OS uses Filesystem ACL, in which the user/group permissions associated with an object are internally maintained in a data structure. This type of security model is also used in Open Virtual Memory System (OpenVMS) and Unix-like or Mac OS X operating systems.

The ACL contains a list of items, known as Access Control Entities (ACE), which holds the security details of each “trustee” with system access. A trustee may be an individual user, group of users or process that executes a session. Security details are internally stored in a data structure, which is a 32-bit value that represents the permission set used to operate a securable object. The object security details include generic rights (read, write and execute), object-specific rights (delete and synchronization, etc.), System ACL (SACL) access rights and Directory Services access rights (specific to directory service objects). When a process requests an object’s access rights from ACL, ACL retrieves this information from the ACE in the form of an access mask, which maps to that object’s stored 32-bit value.

Techopedia Explains Access Control List (Microsoft) (ACL)

  • Discretionary ACL (DACL): A DACL verifies the identity of a trustee attempting object access and facilitates object access right modification. A DACL checks all object ACEs in a specified sequence and stops after verifying granted or denied access. For example, a folder may be assigned exclusive read access restrictions, but an administrator usually has full rights (read, write and execute) that override DACL rights.
  • System ACL (SACL): An administrator uses a SACL to monitor trustee object access attempts and logs access details in the security event log. This feature helps debug application issues related to access rights, and/or intrusion detection. A SACL has ACEs that manage a specific resource’s audit rules set. In short, the difference between the two is that DACL restricts access, while SACL audits access.