World Library  
Flag as Inappropriate
Email this Article

Access control list

Article Id: WHEBN0000061589
Reproduction Date:

Title: Access control list  
Author: World Heritage Encyclopedia
Language: English
Subject: NTFS, Computer access control, Windows Registry, Comparison of web application frameworks, List of information technology acronyms
Collection: Computer Access Control
Publisher: World Heritage Encyclopedia

Access control list

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.[1] Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.


  • ACL-based security models 1
  • Implementations 2
    • Filesystem ACLs 2.1
    • Networking ACLs 2.2
    • SQL implementations 2.3
  • Comparing with RBAC 3
  • See also 4
  • References 5
  • Further reading 6

ACL-based security models

When a subject requests an operation on an object in an ACL-based security model, the operating system first checks the ACL for an applicable entry to decide whether the requested operation is authorized. A key issue in the definition of any ACL-based security model is determining how access control lists are edited, namely which users and processes are granted ACL-modification access.


Many kinds of systems implement ACL, or have a historical implementation.

Filesystem ACLs

In the 1990s the ACL and RBAC models were extensively tested and used to administrate file permissions. A filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. These entries are known as access control entries (ACEs) in the Microsoft Windows NT,[2] OpenVMS, Unix-like, and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object.

Most of the Unix and Unix-like operating systems (e.g. Linux,[3] BSD, or Solaris) support POSIX.1e ACLs, based on an early POSIX draft that was abandoned. Many of them, for example AIX, FreeBSD,[4] Mac OS X beginning with version 10.4 ("Tiger"), or Solaris with ZFS filesystem,[5] support NFSv4 ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for Ext3 filesystem[6] and recent Richacls,[7] which brings NFSv4 ACLs support for Ext4 filesystem.

Networking ACLs

On some types of proprietary computer hardware (in particular routers and switches), an Access Control List refers to rules that are applied to port numbers or IP Addresses that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure Access Control Lists based on network domain names, this is generally a questionable idea because individual TCP, UDP, and ICMP headers do not contain domain names. Consequently, the device enforcing the Access Control List must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the Access Control List is protecting. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like Firewalls, ACLs are subject to security regulations and standards such as PCI DSS.

SQL implementations

ACL algorithms have been ported to SQL and relational database systems. Many "modern" (2000's and 2010's) SQL based systems, like Enterprise resource planning and Content management systems, have used ACL model in their administration modules.

Comparing with RBAC

The main alternative to the ACL model is the Role-based access control (RBAC) model. A "minimal RBAC Model", RBACm, can be compared with an ACL mechanism, ACLg, where only groups are permitted as entries in the ACL. Barkley (1997)[8] showed that RBACm and ACLg are equivalent.

In modern SQL implementations, ACL also manage groups and inheritance in a hierarchy of groups. So "modern ACLs" can express all that RBAC express, and are notably powerful (compared to "old ACLs") in their ability to express access control policy in terms of the way in which administrators view organizations.

For data interchange, and for "high level comparisons", ACL data can be translated to XACML.[9]

See also


  1. ^ RFC 4949
  2. ^ "Managing Authorization and Access Control".  
  3. ^ "Red Hat Enterprise Linux AS 3 Release Notes (x86 Edition)".  
  4. ^ "NFSv4 ACLs".  
  5. ^ "Chapter 8 Using ACLs and Attributes to Protect ZFS Files".  
  6. ^ Grünbacher, Andreas (May 2008). "Native NFSv4 ACLs on Linux".  
  7. ^ Grünbacher, Andreas (July–September 2010). "Richacls - Native NFSv4 ACLs on Linux". Retrieved 2013-04-08. 
  8. ^ J. Barkley (1997) " Comparing simple role based access control models and access control lists", In "Proceedings of the second ACM workshop on Role-based access control", pages 127-132.
  9. ^ G. Karjoth, A. Schade and E. Van Herreweghen (2008) "Implementing ACL-based Policies in XACML", In "2008 Annual Computer Security Applications Conference".

Further reading

  1. Rhodes, Tom. "File System Access Control Lists (ACLs)". FreeBSD Handbook. Retrieved 2013-04-08. 
  2. Michael Fox, John Giordano, Lori Stotler, Arun Thomas (2005-08-24). "SELinux and grsecurity: A Case Study Comparing Linux Security Kernel Enhancements".  
  3. Hinrichs, Susan (2005). "Operating System Security". CyberSecurity Spring 2005.  
  4. Mitchell, John. "Access Control and Operating System Security".  
  5. Clarkson, Michael. "Access Control".  
  6. Klein, Helge (2009-03-12). "Permissions: A Primer, or: DACL, SACL, Owner, SID and ACE Explained". Retrieved 2013-04-08. 
  7. "Access Control Lists".  
  8. "How Permissions Work".  
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.