Learn about the technologies behind the Internet with The TCP/IP Guide!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
View over 750 of my fine art photos any time for free at DesktopScenes.com!

[ The PC Guide | Systems and Components Reference Guide | Hard Disk Drives | Hard Disk Logical Structures and File Systems | New Technology File System (NTFS) | NTFS Security and Permissions ]

Access Control Lists (ACLs) and Access Control Entries (ACEs)

Management of security and access to NTFS objects begins in the same place where everything else begins in NTFS: in the Master File Table (MFT). The MFT record for every file and directory on an NTFS volume contains a security descriptor (SD) attribute. The name of this attribute makes rather clear what it contains: information related to security and permissions for the corresponding object.

One of the most important elements within the security descriptor for any object is the set of lists within it, which dictate which users may access the object, and in what manner. These are called access control lists or ACLs. Every object in an NTFS partition has two different types of access control lists:

  • System Access Control List (SACL): This ACL is managed by the system (thus the name) and is used to control auditing of attempts to access the object.
  • Discretionary Access Control List (DACL): This is the "real" ACL. :^) Well, it is the one that most people are primarily concerned with, because it is where permissions are stored that control what users and groups of users are allowed what type of access to the object. If you hear someone refer to an object's ACL in the singular, this is the one they mean.

Each entry in an ACL is called an access control entry or ACE. Each ACE contains an ID code that identifies the user or group to which the ACE applies, and then information about the specific permission settings that are to be applied to that user or group. Many different ACEs can be placed into a list, allowing the access of various types to be granted or denied for a variety of different users and groups. Some groups have special meaning, such as the self-evidently named group "Everyone".

The ACL for every object is a combination of various access control settings contained in different ACEs. A typical object may have different sets of permissions assigned for various users or groups of users. In fact, some sets of permissions may conflict with each other, since users can be members of more than one group, and groups may have differing permissions. When an object is accessed, a process of permission resolution takes place, which determines which permissions take precedence and therefore, whether any given attempted access should be allowed or disallowed.

ACLs are also greatly affected by the particular inheritance model being used by the operating system. Windows NT uses a static inheritance model, which defaults the ACL for a new object from the ACL of its parent folder. Windows 2000 uses a more advanced dynamic inheritance scheme that provides better control over how the ACLs for an object work, lets subfolders and files have their ACLs change automatically when their parent folder's ACL changes, and allows finer control over inheritance in general. This more advanced functionality can also be applied to Windows NT 4.0 installs using Service Pack 4 and the Security Configuration Manager (SCM).

Next: NTFS Permissions

Home  -  Search  -  Topics  -  Up

The PC Guide (http://www.PCGuide.com)
Site Version: 2.2.0 - Version Date: April 17, 2001
Copyright 1997-2004 Charles M. Kozierok. All Rights Reserved.

Not responsible for any loss resulting from the use of this site.
Please read the Site Guide before using this material.
Custom Search