Main Page | See live article | Alphabetical index

Access control list

The access control list (ACL) is a function of secure computing, used to enforce privilege separation.

The list is a data structure, usually a table, containing individual users or groups rights to specific system objects, such as a program, a process, or a file (in Microsoft-speak each entry in the ACL is an access control entry (ACE)). Each accessible object contains an identifier to its ACL. The privileges or permissions determine whether a user can read, write or execute in regard to a object.

The ACL is a concept, it is implemented differently by various operating system, although there is a POSIX standard.

ACL impementation can be quite complex, there can be the need for ACLs for the object, for directories and other containers, and for the objects and the containers created within this container. Different objects will also need different ACLs, rwx is enough for a file but there will need to be additional administrative privileges, while generalised security ACLs can have fifteen or more privileges set.

ACLs have been proven to be insecure under certain conditions and capability is considered a better control, with the authority transferred from the objects being accessed to the objects seeking access - allowing for much finer-grained control.

discretionary access control list (DAC or DACL), system access control list (SACL), Rule set based access control (RSBAC)