The discretionary access control list (DACL) within the security descriptor provides an important part of Windows security. The DACL is a list of entries that grant or deny certain rights to specific users or groups. A list entry is called an access control entry (ACE). Each ACE consists of the following:

  • A security identifier (SID) to identify a particular user or group

  • An access list that specifies the permissions allowed or denied for the user or group

The following is an example of a DACL:

  • DACL: User1 Full Control (All)

  • ToolGroup:Read (RX)

  • Everyone:Read (RX)

In this DACL, User1 has read, write, and execute access to the file. Members of the group ToolGroup have read and execute access. Members of the group Everyone (all users) have read and execute access.

The following rules govern access to a file:

  • If no DACL is present, everyone is granted full access.

  • If a DACL is present, but contains no entries, everyone is denied access.

  • The file owner always has the ability to change the DACL.

In turn, these rules apply to the DACL:

  • DACL entries are searched sequentially.

  • All permissions are implicitly denied.

  • Once a permission has been denied, it cannot be granted.

  • Once a permission has been granted, it cannot be denied.