Access Control List: What is the ACL?

The Access Control List or ACL is used by operating systems to track which accounts hold which permissions for different objects and resources. Read on to learn about the ACL in Windows.

General Information

Access Control Lists (ACL) are generally used to limit access to data objects. An ACL contains a number of entries, which are called ACEs (Access Control Entries); each ACE describes one individual access rule. For example, an entry might determine a user’s (or group of users’) access to a certain object (such as a file in a file system, which the respective ACL is assigned to) on a specific access level (e.g. “View only” or “Edit”).

ACL in Microsoft Windows

In Microsoft Windows, several object types can have an ACL through a security descriptor, e.g. processes, directories, files, organizational units in Active Directory, Exchange Server mailboxes, etc. Regarding ACLs in an NTFS file system, the following options for ACEs within an ACL are available:

  • Both single users and groups can be authorized. Windows will display the name of the user or group, even though the entry will contain the SID of the respective object.

  • The users and groups could be either local computer users or Active Directory users/groups.

  • Permissions can be approved or denied (ACEs with denied permissions are automatically ranked at the beginning of an ACL, which means that “denied” always beats “approved”).

  • Entries can either be propagated by the parent folder or they can be set explicitly (explicitly set entries rank above inherited entries).

  • Each entry can comprise specific permissions (the NTFS specifies which permissions exist).


Best Practices for Access Management In Microsoft® Environments

An in-depth manual on how to set up access structures correctly, including technical details. Also includes information on reporting and tips for implementation.

About the Author: Helmut Semmelmayer

Helmut Semmelmayer currently heads channel sales at the software company tenfold software. He looks back on 10 years of involvement in the identity and access management market. Having worked on countless customer projects, he has extensive knowledge of the challenges that organizations face when it comes to protecting data from unauthorized access. His goal is to educate businesses and build awareness for current and future access-based attack patterns.