Access_Control_List

最新推荐文章于 2024-09-30 16:27:56 发布

转载最新推荐文章于 2024-09-30 16:27:56 发布 · 944 阅读

文章标签：

#security

security 专栏收录该内容

2 篇文章

订阅专栏

本文详细介绍了访问控制列表（ACL）的概念，包括访问控制项（ACE）如何确定受信任主体的访问权限。解释了自定义访问控制列表（DACL）和系统访问控制列表（SACL）的功能，以及它们如何控制对象的访问和记录尝试。强调了直接操作ACL的风险，并提供了创建和管理ACL的方法。

An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL.

A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied. For more information, see How DACLs Control Access to an Object. For information about how to properly create a DACL, see Creating a DACL.

A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both. For more information about SACLs, see Audit Generation and SACL Access Right.

Do not try to work directly with the contents of an ACL. To ensure that ACLs are semantically correct, use the appropriate functions to create and manipulate ACLs. For more information, see Getting Information from an ACL andCreating or Modifying an ACL.

ACLs also provide access control to Microsoft Active Directory directory service objects. Active Directory Service Interfaces (ADSI) include routines to create and modify the contents of these ACLs. For more information, see Controlling Access to Active Directory Objects.

Filesystem ACLs

Networking ACLs

SQL implementations

REF:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/access_control_list.htm

http://en.wikipedia.org/wiki/Access_control_list