What is an Access Control List?

An access control list (ACL) is an attachment to a file, directory, or other object that provides information about permissions associated with the object. If there is no access control list, anyone can interact with the object and do anything with it. If a list is present, however, access and activities are limited to people on the list and the abilities of individual users may be restricted at different levels.

The list can specify users, roles, or groups. Users are individual users who are registered in the system, such as an office network. Roles are titles that are assigned to people. For example, a user might have the role “System Administrator.” When an access control list restricts access to certain roles, only people in those roles will be able to manipulate the object. Groups are collections of users who are registered together, such as “Secretarial Pool.”

Access control lists can determine who is allowed to view, edit, delete, or move an object. This can be useful on a security level and it can also prevent mistakes. For example, system administrators can limit access to key system files so that people who are not experienced will not accidentally alter, delete, or move those files and cause a problem. Likewise, a file could be made read only except for one user to ensure that if other people on the network access the file, they cannot make changes to it.

Using an access control list for security is part of capability-based security, in which layers of security are provided through the use of tokens that are provided by users of the system. A token provides information about a user’s authority and it is matched up with permissions that determine whether or not the user is authorized to perform a given option. This security method allows security at a highly flexible level as individual files and directories can have different permissions.

The access control list is only as good as the security of individual identities on a network. If people do not use passwords or use weak passwords, it is possible to hijack their identities and use them in the system. If a system is penetrated with a keystroke logger or similar malware, it can also become compromised and make it possible for an unauthorized person to enter the system. This is why security is organized in layers, so that a weakness in one area will not bring down the whole system.