An access-control entry (ACE) is an element in an access-control list (ACL). An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee. For information about adding, removing, or changing the ACEs in an object's ACLs, see Modifying an Object's ACLs.
Windows NT currently supports six types of ACEs. There are three ACE types supported by all securable objects. In addition, there are three types of object-specific ACEs supported by directory service objects.
All types of ACEs contain the following access-control information:
The following table lists the three ACE types supported by all securable objects.
Type | Description |
---|---|
Access-denied ACE | Used in a DACL to deny access rights to a trustee. |
Access-allowed ACE | Used in a DACL to allow access rights to a trustee. |
System-audit ACE | Used in a SACL to generate an audit record when the trustee attempts to exercise the specified access rights. |
For a table of object-specific ACEs, see Object-Specific ACEs. Windows NT does not currently support system-alarm ACEs.