Understanding the discretionary access control list

The discretionary access control list (DACL) within the security descriptor provides the core of Windows security. The DACL is a list of entries that grant or deny certain rights to specific users or groups. A list entry is called an access control entry (ACE). Each ACE consists of the following:

• A security identifier (SID) to identify a particular user or group.
• An access list that specifies the permissions allowed or denied for the user or group.

The following is an example of a DACL:

• DACL: Mrjones Full Control (All)
• ToolGroup Read(RX)
• Everyone Read (RX)

In this DACL, Mrjones has read, write, and execute access to the file, members of the group ToolGroup have read-and-execute access, and members of the group Everyone (all users) have read-and-execute access.

The following rules govern access to a file:

• If no DACL is present, everyone is granted full access.
• If a DACL is present, but contains no entries, everyone is denied access.
• The file owner always has the ability to change the DACL.

In turn, these rules apply to the DACL:

• DACL entries are searched sequentially.
• All permissions are implicitly denied.
• Once a permission has been denied, it cannot be granted.
• Once a permission has been granted, it cannot be denied.

For more information, see Understanding the Windows security descriptor.