Access Control List


Access Control List (ACL) is typically a list of Access Control permissions.

Internet Security Glossary (RFC 4949)#

Access Control List is a mechanism that implements Access Control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity. (Compare: access control matrix, access list, access profile, capability list.)


For EDirectory Access Control List is also an ACL (eDirectory Attribute)


Access Control List in Microsoft Active Directory is a sequential list of zero or more Access Control Entries (ACEs). The individual Access Control Entry in an Access Control List are numbered from 0 to n, where n+1 is the number of ACEs in the ACL. When editing an ACL, an application refers to an ACE within the ACL by the ACE's index.

There are two types of Access Control Lists:

Access Control List in Microsoft Active Directory and Microsoft Windows are contained within a Security Descriptor
Microsoft says - Do not try to work directly with the contents of an Access Control List. To ensure that ACLs are semantically correct, use the appropriate functions to create and manipulate ACLs.
Microsoft says - ACLs also provide access control to Microsoft Active Directory directory service objects. Active Directory Service Interfaces (ADSI) include routines to create and modify the contents of these ACLs.

Microsoft Active Directory: Access Control List (ACLs) are the mechanisms by which a directory service tracks the access rights of each network entity represented in the directory. Proper management of ACLs is critical to proper functioning of the directory as well assuring simplified management. As an illustration of how ACLs function, consider an example of a user being granted access to a server. When the user is granted the right to access a given server, an entry is created in the server’s ACL that records the type of access right granted to the user. When the user next tries to access that server, the directory checks the associated Server Object to see if the user is listed in its ACL. If the user is listed, appropriate access is allowed.

Microsoft Active Directory does not maintain backlinks and therefore the ACL for each resource to which the user has been granted access must be manually updated when processing the delete of the user. To illustrate the significance of this problem, consider a realistic instance in which a user has been granted access to 20 resources. After deleting the user from AD, an erroneous reference to that user will continue to appear in the ACL for each of those 20 resources until the administrator manually edits the ACL for each of them or until an automated AD "clean up" function eventually removes them. In a large network, the scale of this problem and the administrative costs that would result are significant. AD’s lack of backlinks also prevents administrators from easily determining the network resources to which a user has been granted access, therefore making administrative actions requiring this knowledge more difficult, and therefore costly, to perform.

More Information#

There might be more information for this subject on one of the following: