Access Control Lists

An access control list (ACL) is an ordered list of access control entries (ACEs) that define the protections that apply to an object and its properties. Each ACE identifies a security principal and specifies a set of access rights allowed, denied, or audited for that security principal.

An object's security descriptor can contain two ACLs:

  • A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access

  • A system access control list (SACL) that controls how access is audited

The data structure for an ACL is illustrated in Figure 12.21.


Figure 12.21 Structure of an ACL

The individual parts of an ACL are as follows:

ACL Size    The number of bytes of memory allocated for the ACL. The size of an ACL varies with the number and size of its ACEs.

ACL Revision    The revision number for the ACL's data structure. The structure of an ACL is the same for all revisions, but the structure of ACEs in the ACL can vary. The revision number for most objects is 2. The revision number for Active Directory objects is 4.

ACE Count    The number of ACEs in the ACL. A value of zero means the ACL has no ACEs—it is empty, therefore access-checking can stop.

ACEs    An ordered list containing zero or more ACEs. During an access check, ACEs are processed in the order in which they are listed.