Platform SDK: Access Control

Access-Control Entries (ACEs)

An access-control entry (ACE) is an element in an access-control list (ACL). An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee. For information about adding, removing, or changing the ACEs in an object's ACLs, see Modifying an Object's ACLs.

Windows NT/Windows 2000 currently supports six types of ACEs. There are three ACE types supported by all securable objects. In addition, there are three types of object-specific ACEs supported by directory service objects.

All types of ACEs contain the following access-control information:

The following table lists the three ACE types supported by all securable objects.

Type Description
Access-denied ACE Used in a DACL to deny access rights to a trustee.
Access-allowed ACE Used in a DACL to allow access rights to a trustee.
System-audit ACE Used in a SACL to generate an audit record when the trustee attempts to exercise the specified access rights.

For a table of object-specific ACEs, see Object-Specific ACEs.

System-alarm ACEs are not currently supported.