The access control list (ACL) is a concept in computer security used to enforce privilege separation. It is a means of determining the appropriate access rights to a given object depending on certain aspects of the process that is making the request, principally the process's user identifier (in POSIX, effective UID).

The list is a data structure, usually a table, containing entries that specify individual user or group rights to specific system objects, such as a program, a process, or a file. These entries are known as access control entries (ACE) in the Microsoft Windows and OpenVMS operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to or execute an object. In some implementations an ACE can control whether or not a user, or group of users, may alter the ACL on an object.

The ACL is a concept with several different implementations in various operating systems, although there is a POSIX "standard" (the POSIX security drafts, .1e and .2c, were withdrawn when it became clear their scope was too wide and the work would not complete, but the well-developed parts defining ACLs have been widely implemented and are known as "POSIX ACLs").

ACL implementations can be quite complex. ACLs can apply to objects, directories and other containers, and for the objects and the containers created within this container. ACLs cannot implement all of the security measures that one might wish to have on all systems, and a fine-grained capability-based operating system may be a better approach, with the authority transferred from the objects being accessed to the objects seeking access — allowing for much finer-grained control.

ACL is an abstract way to model and thus discuss the protection of resources in general. This was first done by Butler W. Lampson his 1971 paper Protection. In Authentication in distributed systems: theory and practice it is shown that ACL is in fact the most general way to express protection properties.

In networking, the term Access Control List (ACL) refers to a list of service ports or (network) daemon names that are available on a host, each with a list of hosts and/or networks permitted to use the service. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.

See also

• Computer security
• Access Control Matrix
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role-Based Access Control (RBAC)
• Capability-based security
• TCP Wrappers

External links

• POSIX Access Control Lists on Linux
• RSBAC Access Control Lists on Linux
• C2-Wiki Discussion and Relational Implementation
• Information Security Definitions: ACL
• Generic Access Control Lists (PHP based)
• Easy and detailed ACL howto for linux
• Article "Security Briefs: Access Control List Editing in .NET" by Keith Brown
• MS Windows .NET ACL Technology
• What could have been IEEE 1003.1e/2c

Operating system security | System administration | 3-letter acronyms

Zugriffskontrollliste | Access Control List | Lista di controllo degli accessi | Access Control List | ACL | ACL