ALERT

Cisco CloudCenter: Get the Hybrid IT Advantage

Access Control List (Microsoft) (ACL)

Definition - What does Access Control List (Microsoft) (ACL) mean?

In a Microsoft context, the Access Control List (ACL) is the list of a system object's security information that defines access rights for resources like users, groups, processes or devices. The system object may be a file, folder or other network resource. The object's security information is known as a permission, which controls resource access to view or modify system object contents.

The Windows OS uses Filesystem ACL, in which the user/group permissions associated with an object are internally maintained in a data structure. This type of security model is also used in Open Virtual Memory System (OpenVMS) and Unix-like or Mac OS X operating systems.

The ACL contains a list of items, known as Access Control Entities (ACE), which holds the security details of each “trustee” with system access. A trustee may be an individual user, group of users or process that executes a session. Security details are internally stored in a data structure, which is a 32-bit value that represents the permission set used to operate a securable object. The object security details include generic rights (read, write and execute), object-specific rights (delete and synchronization, etc.), System ACL (SACL) access rights and Directory Services access rights (specific to directory service objects). When a process requests an object's access rights from ACL, ACL retrieves this information from the ACE in the form of an access mask, which maps to that object's stored 32-bit value.

Techopedia explains Access Control List (Microsoft) (ACL)

ACL is a resource-based security model designed to provide security that facilitates authorization of an application that accesses an individually secured resource. It does not serve this purpose in applications requiring data for authorization from multiple sources with databases and/or Web services, etc. Role-based access control is another mechanism that is used to authorize access to operations based on a caller's role membership and is mostly used in Web applications requiring scalability.

Windows uses two ACL types:
  • Discretionary ACL (DACL): A DACL verifies the identity of a trustee attempting object access and facilitates object access right modification. A DACL checks all object ACEs in a specified sequence and stops after verifying granted or denied access. For example, a folder may be assigned exclusive read access restrictions, but an administrator usually has full rights (read, write and execute) that override DACL rights.
  • System ACL (SACL): An administrator uses a SACL to monitor trustee object access attempts and logs access details in the security event log. This feature helps debug application issues related to access rights, and/or intrusion detection. A SACL has ACEs that manage a specific resource's audit rules set. In short, the difference between the two is that DACL restricts access, while SACL audits access.
Share this:

Related Articles

Connect with us

Email Newsletter

Join thousands of others with our weekly newsletter

Resources

[DON'T MISS] Optimal Forecasting: Save Time, Money and Trouble:
The 4th Era of IT Infrastructure: Superconverged Systems
The 4th Era of IT Infrastructure: Superconverged Systems:
Learn the benefits and limitations of the 3 generations of IT infrastructure – siloed, converged and hyperconverged – and discover how the 4th...
Approaches and Benefits of Network Virtualization
Approaches and Benefits of Network Virtualization:
Businesses today aspire to achieve a software-defined datacenter (SDDC) to enhance business agility and reduce operational complexity. However, the...
Free E-Book: Public Cloud Guide
Free E-Book: Public Cloud Guide:
This white paper is for leaders of Operations, Engineering, or Infrastructure teams who are creating or executing an IT roadmap.
Free Tool: Virtual Health Monitor
Free Tool: Virtual Health Monitor:
Virtual Health Monitor is a free virtualization monitoring and reporting tool for VMware, Hyper-V, RHEV, and XenServer environments.
Free 30 Day Trial – Turbonomic
Free 30 Day Trial – Turbonomic:
Turbonomic delivers an autonomic platform where virtual and cloud environments self-manage in real-time to assure application performance.