Access Control Entry


Access Control Entry (ACE) is an entry in an Microsoft Windows Access Control List (ACL).

Access Control Entry contains a set of access permissions and a Security Identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audit

There are six types of Access Control Entrys, three of which are supported by all securable objects.

The other three types are Object-specific ACEs supported by directory service objects.

All Access Control Entry Types contain the following Access Control information:

  • Security Identifier (SID) that identifies the trustee to which the Access Control Entry applies.
  • MS Access Mask - A 32-bit value that specifies the rights that are allowed or denied in an Access Control Entry. An access mask is also used to request access rights when an object is opened. specifies the access rights controlled by the Access Control Entry.
  • A flag that indicates the Access Control Entry Type
  • A set of bit flags that determine whether child containers or objects can inherit the ACE from the primary object to which the ACL is attached.

Access Control Entry Inheritance#

Access Control Entry Inheritance is subkey can inherit ACEs from the key above it in the hierarchy. Likewise, a file in an NTFS file system can inherit ACEs from the directory that contains it.

The ACE_HEADER structure of an ACE contains a set of inheritance flags that control ACE inheritance and the effect of an ACE on the object to which it is attached. The system interprets the inheritance flags and other inheritance information according to the rules of ACE inheritance.
These rules have the following features:

  • Support for automatic propagation of inheritable ACEs.
  • A flag that differentiates between inherited ACEs and ACEs that were directly applied to an object.
  • Object-specific ACEs that allow you to specify the type of child object that can inherit the ACE.
  • The ability to prevent a Discretionary Access Control List or System Access Control List from inheriting ACEs by setting the
    • SE_SACL_PROTECTED bits in the Security Descriptor's control bits except for SYSTEM_RESOURCE_ATTRIBUTE_ACE and SYSTEM_SCOPED_POLICY_ID_ACE.

More Information#

There might be more information for this subject on one of the following: