Using DACLs with Server for NFS
Applies To: Windows Server 2003 R2
The discretionary access control list (DACL) within the security descriptor provides the core of Windows security. The DACL is a list of entries that grant or deny certain rights to specific users or groups. A list entry is called an access control entry (ACE). Each ACE consists of the following:
A security identifier (SID) to identify a particular user or group.
An access list that specifies the permissions allowed or denied for the user or group.
The following is an example of a DACL:
DACL: Mrjones Full Control (All)
ToolGroup:Read(RX)
Everyone:Read (RX)
In this DACL, Mrjones has read, write, and execute access to the file. Members of the group ToolGroup have read-and-execute access. Members of the group Everyone (all users) have read-and-execute access.
The following rules govern access to a file:
If no DACL is present, everyone is granted full access.
If a DACL is present, but contains no entries, everyone is denied access.
The file owner always has the ability to change the DACL.
In turn, these rules apply to the DACL:
DACL entries are searched sequentially.
All permissions are implicitly denied.
Once a permission has been denied, it cannot be granted.
Once a permission has been granted, it cannot be denied.
For more information, see Using Windows security descriptors with Server for NFS.