Access Control Lists (ACL) are generally used to limit access to data objects. An ACL contains a number of entries, which are called ACEs (Access Control Entries); each ACE describes one individual access rule. For example, an entry might determine a user’s (or group of users’) access to a certain object (such as a file in a file system, which the respective ACL is assigned to) on a specific access level (e.g. “View only” or “Edit”).
ACL in Microsoft Windows
In Microsoft Windows, several object types can have an ACL through a security descriptor, e.g. processes, directories, files, organizational units in Active Directory, Exchange Server mailboxes, etc.
Regarding ACLs in an NTFS file system, the following options for ACEs within an ACL are available:
- Both single users and groups can be authorized. Windows will display the name of the user or group, even though the entry will contain the SID of the respective object.
- The users and groups could be either local computer users or Active Directory users/groups
- Permissions can be approved or denied (ACEs with denied permissions are automatically ranked at the beginning of an ACL, which means that “denied” always beats “approved”).
- Entries can either be propagated by the parent folder or they can be set explicitly (explicitly set entries rank above inherited entries)
- Each entry can comprise specific permissions (the NTFS specifies which permissions exist).