Access Control List

• What is an ACL?

  • is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL.
    • DACL: discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it.
    • SACL: A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log.

• Tokens and ACL

  • When a user logs in he/she is assigned a access token; and securable objects have ACLs. When an user attempts to access a securable object the Windows security subsystem compare the information in the token access with the securable object and grant or deny access.

Previous slide

Back to first slide

View graphic version