Accesslists
What Are Accesslists?
Accesslists, also written as access control lists (ACLs), are ordered sets of rules that a system evaluates to decide whether a given subject may perform a requested operation on a protected resource. Each rule in the list specifies a subject or class of subjects, the resource or resource type in question, and the set of permitted or denied operations. The NIST Cybersecurity Resource Center defines an ACL as "a mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resources," a definition adapted from IETF RFC 4949, the Internet Security Glossary.
Accesslists emerged as a practical data structure for expressing discretionary access control policies on early multi-user operating systems. They represent one of two classical ways to describe a protection matrix: the other is capability lists, which attach permissions to subjects rather than objects. In practice, ACLs dominate in file systems and network infrastructure because they make it straightforward to audit all principals that have access to a given resource.
ACL Structure and Evaluation
An ACL is attached to an object, such as a file, directory, database table, or network interface, and contains one or more access control entries (ACEs). Each ACE identifies a trustee (a user, group, or process identifier) and a bitmask of permitted or explicitly denied operations. When a subject requests access, the enforcement mechanism walks the list in order, applying the first matching rule. List ordering matters: a deny entry placed before a permit entry for the same subject takes precedence, while a catch-all deny-by-default rule placed at the end of the list refuses any traffic or operation not explicitly permitted. Evaluation semantics vary slightly across platforms; POSIX ACLs and Windows NT security descriptors, for example, differ in how they handle inherited permissions on nested directories.
Network ACLs and Packet Filtering
In network infrastructure, ACLs configure routers, switches, and firewalls to permit or block traffic based on fields in packet headers: source and destination IP address, transport protocol, source and destination port, and sometimes DSCP markings. A standard ACL matches only on source IP address, while an extended ACL matches the full five-tuple, giving operators finer-grained control over inter-VLAN routing, service access, and edge filtering. NIST Special Publication 800-41 on firewall policy guidelines recommends a default-deny posture: all traffic not explicitly permitted by an ACL rule should be dropped, limiting the blast radius of misconfigured services. ACL rules are applied in hardware on modern line-rate switches using ternary content-addressable memory (TCAM), which allows O(1) rule lookup at high speeds.
Filesystem and Operating System ACLs
At the operating system level, ACLs extend traditional Unix permission bits to support richer access policies. POSIX.1e extended attributes allow administrators to grant read access to a specific user on a file without adding that user to the owning group. Windows NTFS attaches a discretionary ACL (DACL) and a system ACL (SACL) to every file and registry key; the DACL governs access decisions while the SACL triggers audit log entries when specified operations occur. Modern cloud storage services expose ACL-like interfaces for bucket and object-level access policies, though many platforms have moved toward attribute-based policy languages that subsume traditional ACL semantics.
Applications
Accesslists have applications in a wide range of disciplines, including:
- Network perimeter defense and inter-segment traffic control
- Cloud storage bucket and object access policies
- Database row-level and column-level security
- Operating system file and registry permission management
- API gateway request filtering and rate limiting by client identity