Access Control Lists: What They Are & How They Work

An access control list details what permissions different users have in relation to a given object. Access control lists are a staple of the logical access controls that govern access on computer systems, dictating who has access to what.

Access controls structure access in terms of subjects and object. A subject, such as a user or application, accesses an object, which can be a file, device, database, or any other resource.

On a typical computer system, every object has its own access control list, or ACL. These access control lists are made up of access control entries, or ACEs. Each access control entry includes a security identifier, such as a username, that pertains to a specific subject or group of subjects. Alongside that identifier, the access control list also lists their privileges pertaining to the object in question.

Common access privileges include the rights to view, edit, or delete a given object. We’ll go over these privileges and more as we examine how access control lists work in Windows.

Access Control Lists in Windows

Windows, like macOS and most Linux operating systems, uses the discretionary access control model to structure access. Under discretionary access control, each object has an owner who can then hand out permissions to other subjects. You might explicitly allow access to a specific coworker, for instance, or an application might inherit the access privileges of the person who runs it.

You can view an access control list in Windows by right-clicking a file or folder, opening the object’s Properties, and then opening the Security tab on that window. You can see this panel in the screenshot below.

An access control list, as shown in the permissions panel in Windows 10.

The upper part of this window lists subjects, under the heading “Group or user names”. The lower section lists the permissions for the selected subject. Let’s go over what each of these permissions mean, going from the lowest to the highest level of access.

  • List folder contents: Allows a user to see the file names and subfolders contained in a folder, but permits no further access to view or edit the files themselves.
  • Read: Allows a user to view or copy the file or folder, or the items contained within a folder.
  • Read and execute: Includes all Read privileges, plus the ability to run applications.
  • Write: Includes all Read privileges, plus the ability to add files and subfolders.
  • Modify: Includes all Write privileges, plus the ability to modify or delete files and subfolders.
  • Full control: Includes all of the above permissions, plus the ability to change permissions for all files and subfolders.

For each of these settings, “Allow” means a user has the privilege in question; “Deny” means they do not.

Most systems operate on the implicit deny principle: if a user is not explicitly granted a permission, they do not have the permission and they are denied that type of access.

A user with “Full Control” does not necessarily have the same privileges as the object owner. Even if an object’s owner has no permissions assigned to them, they can still assign permissions at will. However, the owner or any user with full control can change the object’s owner. You can do so by clicking “Advanced” on the Security panel shown above.

The advanced security settings panel for an object in Windows 10.

You’ll see on this panel, the object owner is listed at the top, along with the ability to change the object’s Owner. Here you can also “Disable inheritance”, which means that applications will no longer inherit this object’s permissions from the user that runs the application.

The advanced security settings also allow administrators to set up Auditing, which tracks user interactions with the object, as well as to view the effective permissions for an object – this is a way at looking at a user’s permissions in greater detail.

Though Windows is built on a discretionary access foundation, you can also implement role-based access controls on Windows by making use of groups. Instead of allocating permissions to specific users, you might sort users into groups such as “Sales” and “Engineering” and then allocate permissions to those groups. For many companies, this is much easier than setting permissions on a case-by-case basis.

The access control list outlined above is a discretionary access control list, and it’s what most people mean when they talk about access control lists. But there’s one more type of access control list – read on.

System Access Control Lists

System access control lists (SACLs) set access across an entire computer system. Instead of dictating permissions on an object-by-object basis, system access control lists set security policies at the system level.

For instance, system access control lists determine which users can install and run software. An administrator can set rules based on file types: you could allow any user to download Microsoft Word files, but limit the ability to download and run executable files to local administrators.

You can also determine access based on the software’s publisher. You could allow downloads from a list of trusted publishers, such as Adobe, while restricting downloads from publishers that aren’t listed.

System access control lists are essential to implementing security standards at organizations. Without system access control lists, discretionary access control puts a lot of power in the hands of users, creating vulnerabilities that could otherwise be avoided.

Leave a Comment