The discretionary access control list (DACL) within the security descriptor provides the core of Windows security. The DACL is a list of entries that grant or deny certain rights to specific users or groups. A list entry is called an access control entry (ACE). Each ACE consists of the following:
The following is an example of a DACL:
In this DACL, Mrjones has read, write, and execute access to the file, members of the group ToolGroup have read-and-execute access, and members of the group Everyone (all users) have read-and-execute access.
The following rules govern access to a file:
In turn, these rules apply to the DACL:
For more information, see Understanding the Windows security descriptor.