What is Access Control List (ACL)?

Managing access permissions is necessary to secure operations in any system. For example, imagine reserving a hotel room. You will receive a key for one of the rooms after you check in at the hotel’s front desk. Given the security, only you are authorized to access that room and can not access any other room with the same key.

Similarly, in computing, we must manage access to different resources such as files, directories, networks, or system resources. An access control list (ACL) is a list of rules determining which users or system processes are granted access to particular resources and what actions (such as reading, writing, or executing) are allowed.

In the access control terminology, the terms “resource” and “object” are used interchangeably.

Whether securing network data or protecting sensitive documents, ACLs are essential for defining permissions and keeping your systems safe.

Components of an ACL#

An ACL consists of entries that define specific permissions for users or groups. These permissions are specified for actions such as read, write, execute, delete, etc., and are associated with particular objects in a system. Each access control entry (ACE) of an object (such as a file or directory) typically contains a subject (such as a user or group) and the permission(s) granted to that subject on the object.

Note that a table is an ACL of one object (file), and each row in the table is an ACE. The ACE specifies what operations a subject can perform on that object.

Objects in an ACL#

Objects can include various types of entities within a computer system or network, such as:

• Files: Documents, executables, configuration files, etc.

• Directories: Folders containing files and subdirectories.

• Network resources: Servers, printers, or other network sharesResources that belong to a local network.

• Devices: Hardware components like routers, switches, or storage devices.

• System resources: Processes, services, or registry keys in an operating system environment.

By managing permissions for these objects, ACLs are crucial in securing network environments and system resources.

Types of ACLs#

There are two basic types of ACLs: discretionary and mandatory ACLs. They provide different levels of granularity and control, allowing organizations to tailor their security measures to meet their standards and requirements.

Discretionary access control lists (DACLs)#

Discretionary access control (DAC) is the most common type of access control. It is discretionary because the object’s owner grants or restricts its access. Each ACE contains information about a specific user or group and the level of access they have to a particular resource. An ACE typically includes:

• Security Identifier (SID): It uniquely identifies a user or group, for example, the username or password provided during authentication.

• Access mask: It specifies the permissions granted or denied to the associated SID.

SID and access mask are synonyms with subject and permissions, respectively.

Here’s an example of a basic DACL.

Different social media platforms allow users to regulate the access of their personal data. For example, Facebook’s friend list is an example of DACL, as the users can decide who can view their friends.

The Unix file system also uses DACLs, allowing the file owner to assign permissions to the file. The owner can specify which users or groups can access files and folders and what actions they can perform, such as reading, writing, deleting, or changing the path.

Mandatory access control lists (MACLs)#

Mandatory access control lists (MACLs) are implemented at the operating system level. Users or object owners can not modify the permissions. The resources are assigned security labels such as “confidential,” “secret,” or “public.” Based on the security label, the administrator assigns a different clearance level to each user or group.

Here’s an example of a basic MACL. Note that it’s similar to a DACL. The only difference is that it’s not editable by the object’s owner.

High-security environments, such as government or military systems, use MACLs to enforce strict access controls to secure trade secrets and blueprint-related files. Banks and insurance companies can use MACLs to authorize access to clients’ personal and financial information, such as transactions.

Limitation of ACLs#

ACLs are easy to understand, but there’s a problem. Suppose that you’re an administrator of an internet-based application, and you need to make changes to access permissions across a large set of network resources. Because each resource has its own ACL, imagine how humdrum it would be to locate and update the ACL for each resource.

This has led to another improved method of access control: role-based access control.

Role-based access control (RBAC)#

Imagine someone logging into your computer system. What can that person do? For example, a line managerHead of department can access sensitive customer information, but not an entry-level worker. Similarly, detailed salary information may be restricted to HR and upper management but must remain hidden from HOD to avoid potential conflicts or bias.

Each user is assigned either one more roles, and each role is assigned one or more privileges permitted to users in that role. Here’s an example of a basic RACL.

This allows the administrators to manage users and roles separately.

What if permissions are to be decided based on multiple factors, e.g., role of the subject, time of access, and resource sensitivity? With RBACL, it would be difficult to maintain access permissions if such multiple factors are involved.

This has led to another improved method of access control: attribute-based access control.

Attribute-based access control (ABAC)#

Imagine someone logging into a company’s workstation. What can that person do? For example, if the user is in accounting, they should only access accounting files. If the company follows a “no Saturday work” policy, no one from the accounting team should be able to access accounting files on Saturday. As the administrator, you can set permissions based on user, resource, and environment attributes.

This has led to another improved method of access control: attribute-based access control.

In ABAC, the below elements work together in a coordinated fashion.

• User: Job title or seniority level of the requester

• Resource attributes: The type of file, the person who made it, or the resource’s sensitivity

• Environment: The requester, the time of day, or the calendar date

ABAC offers a more dynamic and flexible approach to access control, allowing policies to be defined based on multiple attributes rather than user identities or group memberships. For example, a policy might grant access to a resource if the user attribute matches the resource’s sensitivity attribute.

Choosing the right access control type#

• Discretionary access: It is suitable for easily managed environments where owners can modify the permissions, for example, cloud storage platforms like Dropbox and Google Drive. The owner can share a folder on Dropbox or GDrive with specific individuals and grant them either read-only or read-write permissions.

• Mandatory access: It is designed for high-security environments where owners can not modify the permissions, and access is based on predefined security labels. For example, a cloud infrastructure used by a government agency (or highly regulated industry) assigns security labels to data and resources, restricting access based on user clearances.

• Role-based access: It is recommended for systems where access permissions are managed based on user roles and responsibilities, and each role is assigned specific privileges, such as a cloud-based enterprise application like Salesforce. For example, in a cloud-based CRMCustomer Relationship Management model, sales representatives can access customer data, while managers have additional permissions to generate reports and analyze sales performance.

• Attribute-based access: It is useful in environments where permissions must adapt to changing conditions, such as time of access, resource sensitivity, or subject role, such as a cloud-based infrastructure service like Amazon Web Services (AWS). For example, access to sensitive data stored in AWS S3 buckets can be restricted based on attributes like subject department, time, and resource sensitivity.

To learn more about ABAC, take our cloud lab Implementing Attribute-Based Access Control (ABAC) Using Tags to get a hands-on experience implementing the ABAC authorization model in AWS.

Happy learning!