Access Control List
What is an ACL?
- is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL.
- DACL: discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it.
- SACL: A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log.
- When a user logs in he/she is assigned a access token; and securable objects have ACLs. When an user attempts to access a securable object the Windows security subsystem compare the information in the token access with the securable object and grant or deny access.