Using DACLs with Server for NFS

  • Article

Applies To: Windows Server 2003 R2

The discretionary access control list (DACL) within the security descriptor provides the core of Windows security. The DACL is a list of entries that grant or deny certain rights to specific users or groups. A list entry is called an access control entry (ACE). Each ACE consists of the following:

  • A security identifier (SID) to identify a particular user or group.

  • An access list that specifies the permissions allowed or denied for the user or group.

The following is an example of a DACL:

  • DACL: Mrjones Full Control (All)

  • ToolGroup:Read(RX)

  • Everyone:Read (RX)

In this DACL, Mrjones has read, write, and execute access to the file. Members of the group ToolGroup have read-and-execute access. Members of the group Everyone (all users) have read-and-execute access.

The following rules govern access to a file:

  • If no DACL is present, everyone is granted full access.

  • If a DACL is present, but contains no entries, everyone is denied access.

  • The file owner always has the ability to change the DACL.

In turn, these rules apply to the DACL:

  • DACL entries are searched sequentially.

  • All permissions are implicitly denied.

  • Once a permission has been denied, it cannot be granted.

  • Once a permission has been granted, it cannot be denied.

For more information, see Using Windows security descriptors with Server for NFS.