Access Control List (Microsoft) (ACL)

In a Microsoft context, the Access Control List (ACL) is the list of a system object's security information that defines access rights for resources like users, groups, processes or devices. The system object may be a file, folder or other network resource. The object's security information is known as a permission, which controls resource access to view or modify system object contents.

The Windows OS uses Filesystem ACL, in which the user/group permissions associated with an object are internally maintained in a data structure. This type of security model is also used in Open Virtual Memory System (OpenVMS) and Unix-like or Mac OS X operating systems.

The ACL contains a list of items, known as Access Control Entities (ACE), which holds the security details of each “trustee” with system access. A trustee may be an individual user, group of users or process that executes a session. Security details are internally stored in a data structure, which is a 32-bit value that represents the permission set used to operate a securable object. The object security details include generic rights (read, write and execute), object-specific rights (delete and synchronization, etc.), System ACL (SACL) access rights and Directory Services access rights (specific to directory service objects). When a process requests an object's access rights from ACL, ACL retrieves this information from the ACE in the form of an access mask, which maps to that object's stored 32-bit value.

ACL is a resource-based security model designed to provide security that facilitates authorization of an application that accesses an individually secured resource. It does not serve this purpose in applications requiring data for authorization from multiple sources with databases and/or Web services, etc. Role-based access control is another mechanism that is used to authorize access to operations based on a caller's role membership and is mostly used in Web applications requiring scalability.

Windows uses two ACL types:
  • Discretionary ACL (DACL): A DACL verifies the identity of a trustee attempting object access and facilitates object access right modification. A DACL checks all object ACEs in a specified sequence and stops after verifying granted or denied access. For example, a folder may be assigned exclusive read access restrictions, but an administrator usually has full rights (read, write and execute) that override DACL rights.
  • System ACL (SACL): An administrator uses a SACL to monitor trustee object access attempts and logs access details in the security event log. This feature helps debug application issues related to access rights, and/or intrusion detection. A SACL has ACEs that manage a specific resource's audit rules set. In short, the difference between the two is that DACL restricts access, while SACL audits access.

Post a Comment

0 Comments