Home/Blog/Cloud Computing/What is Access Control List (ACL)?
Home/Blog/Cloud Computing/What is Access Control List (ACL)?

What is Access Control List (ACL)?

7 min read
Jun 20, 2024

Managing access permissions is necessary to secure operations in any system. For example, imagine reserving a hotel room. You will receive a key for one of the rooms after you check in at the hotel’s front desk. Given the security, only you are authorized to access that room and can not access any other room with the same key.

Similarly, in computing, we must manage access to different resources such as files, directories, networks, or system resources. An access control list (ACL) is a list of rules determining which users or system processes are granted access to particular resources and what actions (such as reading, writing, or executing) are allowed.

In the access control terminology, the terms “resource” and “object” are used interchangeably.

Whether securing network data or protecting sensitive documents, ACLs are essential for defining permissions and keeping your systems safe.

Components of an ACL#

An ACL consists of entries that define specific permissions for users or groups. These permissions are specified for actions such as read, write, execute, delete, etc., and are associated with particular objects in a system. Each access control entry (ACE) of an object (such as a file or directory) typically contains a subject (such as a user or group) and the permission(s) granted to that subject on the object.

ACL of multiple files in a system
ACL of multiple files in a system

Note that a table is an ACL of one object (file), and each row in the table is an ACE. The ACE specifies what operations a subject can perform on that object.

Objects in an ACL#

Objects can include various types of entities within a computer system or network, such as:

  • Files: Documents, executables, configuration files, etc.

  • Directories: Folders containing files and subdirectories.

  • Network resources: Servers, printers, or other network sharesResources that belong to a local network.

  • Devices: Hardware components like routers, switches, or storage devices.

  • System resources: Processes, services, or registry keys in an operating system environment.

By managing permissions for these objects, ACLs are crucial in securing network environments and system resources.

Types of ACLs#

There are two basic types of ACLs: discretionary and mandatory ACLs. They provide different levels of granularity and control, allowing organizations to tailor their security measures to meet their standards and requirements.

Discretionary access control lists (DACLs)#

Discretionary access control (DAC) is the most common type of access control. It is discretionary because the object’s owner grants or restricts its access. Each ACE contains information about a specific user or group and the level of access they have to a particular resource. An ACE typically includes:

  • Security Identifier (SID): It uniquely identifies a user or group, for example, the username or password provided during authentication.

  • Access mask: It specifies the permissions granted or denied to the associated SID.

SID and access mask are synonyms with subject and permissions, respectively.

Here’s an example of a basic DACL.

ACE 1:
Subject: UserA
Permissions: Read, Write
ACE 2:
Subject: UserB
Permissions: Read
ACE 3:
Subject: GroupA
Permissions: Read, Write, Delete

Different social media platforms allow users to regulate the access of their personal data. For example, Facebook’s friend list is an example of DACL, as the users can decide who can view their friends.

The Unix file system also uses DACLs, allowing the file owner to assign permissions to the file. The owner can specify which users or groups can access files and folders and what actions they can perform, such as reading, writing, deleting, or changing the path.

Mandatory access control lists (MACLs)#

Mandatory access control lists (MACLs) are implemented at the operating system level. Users or object owners can not modify the permissions. The resources are assigned security labels such as “confidential,” “secret,” or “public.” Based on the security label, the administrator assigns a different clearance level to each user or group.

Here’s an example of a basic MACL. Note that it’s similar to a DACL. The only difference is that it’s not editable by the object’s owner.

ACE 1:
Subject: UserX
Permissions: Read, Write, Add
ACE 2:
Subject: UserY
Permissions: Read
ACE 3:
Subject: GroupZ
Permissions: Read, Write, Delete

High-security environments, such as government or military systems, use MACLs to enforce strict access controls to secure trade secrets and blueprint-related files. Banks and insurance companies can use MACLs to authorize access to clients’ personal and financial information, such as transactions.

You might notice objects (resources) in ACLs somewhere. Even though ACLs apply restrictions on every resource by default, including objects in access control entries (ACEs) serves a crucial purpose. It enhances flexibility, allowing administrators/owners to tailor access control policies within their environment.

Limitation of ACLs#

ACLs are easy to understand, but there’s a problem. Suppose that you’re an administrator of an internet-based application, and you need to make changes to access permissions across a large set of network resources. Because each resource has its own ACL, imagine how humdrum it would be to locate and update the ACL for each resource.

In short, as the number of users or resources increases, ACLs become harder to maintain.

This has led to another improved method of access control: role-based access control.

Role-based access control (RBAC)#

Imagine someone logging into your computer system. What can that person do? For example, a line managerHead of department can access sensitive customer information, but not an entry-level worker. Similarly, detailed salary information may be restricted to HR and upper management but must remain hidden from HOD to avoid potential conflicts or bias.

Each user is assigned either one more roles, and each role is assigned one or more privileges permitted to users in that role. Here’s an example of a basic RACL.

ACE 1:
Role: EL-SE
Permissions: Read
ACE 2:
Role: S-SE
Permissions: Read, Write
ACE 3:
Role: EM
Permissions: Read, Write, Add, Delete

This allows the administrators to manage users and roles separately.

Role-based access control and role assignments
Role-based access control and role assignments

What if permissions are to be decided based on multiple factors, e.g., role of the subject, time of access, and resource sensitivity? With RBACL, it would be difficult to maintain access permissions if such multiple factors are involved.

This has led to another improved method of access control: attribute-based access control.

Attribute-based access control (ABAC)#

Imagine someone logging into a company’s workstation. What can that person do? For example, if the user is in accounting, they should only access accounting files. If the company follows a “no Saturday work” policy, no one from the accounting team should be able to access accounting files on Saturday. As the administrator, you can set permissions based on user, resource, and environment attributes.

This has led to another improved method of access control: attribute-based access control.

Attribute-based access
Attribute-based access

In ABAC, the below elements work together in a coordinated fashion.

  • User: Job title or seniority level of the requester

  • Resource attributes: The type of file, the person who made it, or the resource’s sensitivity

  • Environment: The requester, the time of day, or the calendar date

ACE: 1
Subject:
- User Role: Manager
- Department: Sales
Resource:
- Sensitivity: Confidential
- Department: Sales
Action Attributes:
- Action: Read
Environment:
- Time of Day: 9:00 AM - 5:00 PM
- Device Type: Laptop
ACE: 2
Subject:
- User Role: Manager
- Department: HR
Resource:
- Sensitivity: Confidential
- Department: Sales
Action Attributes:
- Action: Read, Write
Environment:
- Time of Day: 9:00 AM - 5:00 PM
- Device Type: Laptop

ABAC offers a more dynamic and flexible approach to access control, allowing policies to be defined based on multiple attributes rather than user identities or group memberships. For example, a policy might grant access to a resource if the user attribute matches the resource’s sensitivity attribute.

Choosing the right access control type#

  • Discretionary access: It is suitable for easily managed environments where owners can modify the permissions, for example, cloud storage platforms like Dropbox and Google Drive. The owner can share a folder on Dropbox or GDrive with specific individuals and grant them either read-only or read-write permissions.

  • Mandatory access: It is designed for high-security environments where owners can not modify the permissions, and access is based on predefined security labels. For example, a cloud infrastructure used by a government agency (or highly regulated industry) assigns security labels to data and resources, restricting access based on user clearances.

  • Role-based access: It is recommended for systems where access permissions are managed based on user roles and responsibilities, and each role is assigned specific privileges, such as a cloud-based enterprise application like Salesforce. For example, in a cloud-based CRMCustomer Relationship Management model, sales representatives can access customer data, while managers have additional permissions to generate reports and analyze sales performance.

  • Attribute-based access: It is useful in environments where permissions must adapt to changing conditions, such as time of access, resource sensitivity, or subject role, such as a cloud-based infrastructure service like Amazon Web Services (AWS). For example, access to sensitive data stored in AWS S3 buckets can be restricted based on attributes like subject department, time, and resource sensitivity.

To learn more about ABAC, take our cloud lab Implementing Attribute-Based Access Control (ABAC) Using Tags to get a hands-on experience implementing the ABAC authorization model in AWS.

Happy learning!

Frequently Asked Questions

Can ACLs be used in cloud environments?

Yes, ACLs are commonly used in cloud environments to control access to resources such as files, virtual machines, and storage. Cloud platforms like AWS, Google Cloud, and Microsoft Azure use ACLs to specify permissions for different users and services.

Is discretionary access control (DAC) secure for enterprise use?

Can ACLs coexist with other access control models like RBAC or ABAC?

What tools are available for managing ACLs in cloud environments?


Written By:
Maham Amjad
Join 2.5 million developers at
Explore the catalog

Free Resources