DACL (Discretionary Access Control List)

Part of the security descriptor for an object. The DACL can be applied to a newly created object in order to restrict access to the object.

ACE (Access Control Entry)

An individual entry in an access control list (ACL). An access control entry (ACE) contains an SID and describes the access rights to a system resource by a specific user or group of users. Each object has a set of all ACEs, which is used to determine whether an access request to the object is granted.

SID (Security Identifier)

A value, unique across time and space, that identifies a process in the security system. SIDs can either identify an individual process, usually containing a user's logon identifier, or a group of processes.

ACL (Access Control List)

An ordered list of access control entries (ACEs).


A permission granted to a process to manipulate a specified object in a particular way (by calling a system service). Different system object types support different access rights, which are stored in an object's access control list (ACL).


A data structure used to hold per-object security information, including the object's owner, group, protection attributes, and audit information.