An access-control list (ACL) contains information that controls access to an object or controls auditing of attempts to access an object. An ACL is an opaque structure that you can attach to the security descriptor of an object.
An ACL begins with a header in the form of an ACL structure. The header contains information pertaining to the entire ACL, including the revision level of the structure, the size (in bytes) of the ACL, and the number of access-control entries (ACEs) in the list. To retrieve this information, you can use the GetAclInformation function. To change the revision level, you can use the SetAclInformation function.
Following the ACL header is a list of access-control entries (ACEs). Each ACE specifies a trustee, a set of access rights, and a set of flags that indicate whether the rights are allowed, denied, or audited for the trustee. A trustee can be a user account, group account, or a logon account for a program such as a Windows NT service.
Security descriptors use access-control lists to allow, deny, or audit attempts to access the object to which the security descriptor is attached. A security descriptor can contain two types of ACLs: a discretionary ACL (DACL) and a system ACL (SACL).
In a DACL, each ACE specifies the types of access that are allowed or denied for a specified trustee. An object's owner controls the information in the object's DACL. For example, the owner of a file can use a DACL to control which users can have access to the file, and which users are denied access.
If the security descriptor for an object does not have a DACL, the object is not protected and the system allows all attempts to access the object. However, if an object has a DACL that contains no ACEs, the DACL does not grant any access rights. In this case, the system denies all attempts to access the object. For information about setting an object's DACL, see Allowing Access.
In a SACL, each ACE specifies the types of access attempts by a specified trustee that cause the system to generate audit records in the system event log. A system administrator controls the information in the object's SACL. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both. In future releases, a SACL will also be able to raise an alarm when an unauthorized user attempts to gain access to an object.