Platform SDK: Access Control |
An access-control entry (ACE) is an element in an access-control list (ACL). An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee. For information about adding, removing, or changing the ACEs in an object's ACLs, see Modifying an Object's ACLs.
Windows NT/Windows 2000 currently supports six types of ACEs. There are three ACE types supported by all securable objects. In addition, there are three types of object-specific ACEs supported by directory service objects.
All types of ACEs contain the following access-control information:
The following table lists the three ACE types supported by all securable objects.
Type | Description |
---|---|
Access-denied ACE | Used in a DACL to deny access rights to a trustee. |
Access-allowed ACE | Used in a DACL to allow access rights to a trustee. |
System-audit ACE | Used in a SACL to generate an audit record when the trustee attempts to exercise the specified access rights. |
For a table of object-specific ACEs, see Object-Specific ACEs.
System-alarm ACEs are not currently supported.