Access Control Entries
An access control entry (ACE) is an element in an access control list (ACL). An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee. For information about adding, removing, or changing the ACEs in an object's ACLs, see Modifying the ACLs of an Object in C++.
There are six types of ACEs, three of which are supported by all securable objects. The other three types are Object-specific ACEs supported by directory service objects.
All types of ACEs contain the following access control information:
- A security identifier (SID) that identifies the trustee to which the ACE applies.
- An access mask that specifies the access rights controlled by the ACE.
- A flag that indicates the type of ACE.
- A set of bit flags that determine whether child containers or objects can inherit the ACE from the primary object to which the ACL is attached.
The following table lists the three ACE types supported by all securable objects.
| Type | Description |
|---|---|
| Access-denied ACE | Used in a discretionary access control list (DACL) to deny access rights to a trustee. |
| Access-allowed ACE | Used in a DACL to allow access rights to a trustee. |
| System-audit ACE | Used in a system access control list (SACL) to generate an audit record when the trustee attempts to exercise the specified access rights. |
For a table of object-specific ACEs, see Object-specific ACEs.
Note
System-alarm object ACEs are not currently supported.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for