Access Control List (Microsoft) (ACL)

What is Access Control List (Microsoft) (ACL)?
In a Microsoft context, the Access Control List (ACL) is the list of security information for a system object that defines access rights for resources such as users, groups, processes, or devices. The system object can be a file, folder, or other network resource. The object's security information is known as a privilege, which controls access to the resource for viewing or modifying system object contents.

The Windows operating system uses the file system ACL, in which the user / group permissions assigned to an object are managed internally in a data structure. This type of security model is also used in Open Virtual Memory System (OpenVMS) and Unix-like or Mac OS X operating systems.

The ACL contains a list of elements called Access Control Entities (ACE) that contain the security details of each 'trustee' with system access. A trustee can be an individual user, a group of users, or a process running a session. Security details are stored internally in a data structure, which is a 32-bit value that represents the permission set used to operate a securable object.

Object security details include generic rights (read, write, and execute), object-specific rights (delete and synchronize, etc.), system ACL (SACL), and directory service access rights (specific to directory service objects). When a process requests access to an object from the ACL, the ACL retrieves this information from the ACE in the form of an access mask that corresponds to the stored 32-bit value of that object.

ACL is a resource-based security model that was developed to provide security that enables the authorization of an application that is accessing an individually secured resource. This is not for this purpose in applications that require data for authorization from multiple sources with databases and / or web services, etc. Role-based access control is another mechanism that allows access to operations based on a caller's role membership. It is used in web applications that require scalability.

Windows uses two types of ACL:

Discretionary ACL (DACL): A DACL verifies the identity of a trustee attempting to access objects and makes it easy to change object access rights. A DACL checks all object ACEs in a specified order and stops after checking whether access has been granted or denied. For example, a folder can be assigned exclusive read access restrictions, but an administrator typically has full rights (read, write, and execute) that override DACL rights.

System ACL (SACL): An administrator uses a SACL to monitor access to trustee objects and to log access details in the security event log. This feature helps debug application problems related to access rights and / or intrusion detection. A SACL has ACEs that manage the watch rules for a particular resource. In short, the difference between the two is that DACL restricts access while SACL checks access.