Home

DACLs

A discretionary access control list (DACL) is a security component attached to a securable object that specifies who may access the object and with what operations. It is composed of a set of access control entries (ACEs), each describing a trustee (identified by a security identifier, or SID), a set of permissions, and whether the entry allows or denies those permissions.

The DACL is part of an object's security descriptor, along with information about the object's owner and,

Access decisions are made by evaluating the ACEs in the DACL, typically from top to bottom. If

DACLs support inheritance, enabling ACEs to propagate to child objects. Inheritance flags specify which ACEs should

DACLs are a key element of discretionary access control, as opposed to mandatory access control, where access

separately,
a
system
access
control
list
(SACL)
used
for
auditing.
The
DACL
determines
ordinary
access
rights,
while
the
SACL
records
security-related
events
such
as
successful
or
failed
access
attempts.
a
matching
deny
ACE
is
found,
access
is
denied.
If
a
matching
allow
ACE
is
found
and
no
prior
deny
applies,
access
is
granted.
If
no
ACE
matches
the
requested
rights,
access
is
denied
by
default.
A
special
case
occurs
when
a
DACL
is
not
present
(a
NULL
DACL);
in
that
situation,
all
access
is
allowed
to
all
users.
apply
to
created
children
and
how
they
should
be
propagated.
The
object
owner
generally
controls
who
can
modify
the
DACL;
administrative
privileges
may
also
grant
or
restrict
this
capability.
decisions
are
determined
by
system-wide
policies
rather
than
object
owners.
They
are
commonly
used
to
manage
permissions
on
Windows
NTFS
files,
registry
keys,
and
other
securable
objects.