Access-Control Entries (ACEs)

An access-control entry (ACE) is an element in an access-control list (ACL). An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee. For information about adding, removing, or changing the ACEs in an object's ACLs, see Modifying an Object's ACLs.

Windows NT currently supports six types of ACEs. There are three ACE types supported by all securable objects. In addition, there are three types of object-specific ACEs supported by directory service objects.

All types of ACEs contain the following access-control information:

A security identifier (SID) that identifies the trustee that the ACE applies to.
An access mask that specifies the access rights controlled by the ACE.
A flag that indicates the type of ACE.
A set of bit flags that determine whether child containers or objects can inherit the ACE from the primary object to which the ACL is attached.

The following table lists the three ACE types supported by all securable objects.

Type	Description
Access-denied ACE	Used in a DACL to deny access rights to a trustee.
Access-allowed ACE	Used in a DACL to allow access rights to a trustee.
System-audit ACE	Used in a SACL to generate an audit record when the trustee attempts to exercise the specified access rights.

For a table of object-specific ACEs, see Object-Specific ACEs. Windows NT does not currently support system-alarm ACEs.