Access Control Lists (ACLs) and Access Control Entries (ACEs)
In this section, you’ll review the definitions of access control lists and access control entries, then take a closer look at these important security features. An access control list (ACL) is made up of access control entries (ACEs). An ACE contains at least two items, a security identifier (SID) and one or more authorization levels for each SID. A SID is created for a user, group, or computer account when a new account is first created on a network. The authorization levels established against a user, group, or system are allowed, denied, or audited.
NOTE
Most ACLs contain access control entries. However, an ACL can contain no entries. This permits either full access or no access to an object, depending on the operating system.
TABLE 5-1 provides an example of ACL permissions and what they mean. These permissions define the capabilities that are given or denied to the access control subject.
| Permissions | Definitions |
|---|---|
| Delete | Allows the ability to delete the object |
| Read | Allows the ability to read the object |
| Write | Allows the ability to write to the object |
| Modify | Allows the ability to read, write, execute, and delete (may not include file permissions) |
| Execute | Allows the ability to execute a program |
| Full Control | Allows all abilities including permissions |
| No Access | Denies access to the object |
An ACL is bound to any object that has security permissions, such as a file, directory, port, process, or event. An ACL can be used in applications, operating systems, and configuration of network devices such as routers. There are two types of access control lists:
- Discretionary access control list (DACL)—Contains ACEs that allow or deny subjects permission to interact with objects
- System access control list (SACL)—Contains ACEs that allow system administrators to require auditing of the success and failure of attempted interactions with objects
An SACL is usually established by a systems administrator. A DACL is set up by the owner of an object. An object ACL may have multiple ACEs associated with it. Some ACEs create permissions conflicts. In this case, permission resolution takes place based on the operating system such as Windows or UNIX. Most systems use a least-privilege security principle. This principle states that if a user is in multiple groups with multiple permissions, the least permissive permission will be granted. For example, let’s say Kevin is an employee who has been granted access rights. He has full control permissions (most permissive) and no access permissions (least permissive) applied to him, which causes a conflict. To resolve the conflict, Kevin will be provided no access.
NOTE
When people discuss an ACL, they’re usually referring to the DACL. If no criteria have been established against an object, the system grants an implicit “deny” to prevent access.
Confidentiality, Integrity, and Availability
Confidentiality, integrity, and availability (C-I-A) are large components of access control. In order to define risk associated with a subject accessing an object, you must understand the object and the system being accessed. The following are brief descriptions of the components of C-I-A:
- Confidentiality—Ensuring the right information is seen only by subjects that are authorized to see it
- Integrity—Ensuring a system is not changed by a subject that is not authorized to do so
- Availability—Ensuring a system is accessible when needed
Some systems’ security professionals refer to the C-I-A triad as the “A-I-C” triad (availability, integrity, and confidentiality) to avoid confusion with the U.S. Central Intelligence Agency, which is commonly referred to as the CIA. Either abbreviation is acceptable. However, if you use C-I-A, make sure people understand you’re referring to confidentiality, integrity, and availability.