What Is an Access Control List (ACL)? Types and Examples

Where there are no rules, there is chaos. 

This not only applies to life but also to system and network security. Establishing and enforcing proper rules is necessary to maintain a secure and orderly digital environment. One such security measure is an access control list (ACL).

Imagine you have a Google Doc with sensitive business information. You share it with just a restricted set of people, right? ACL security achieves the same at the system and network levels.

Tools like network access control software with built-in ACLs help companies implement these kinds of systems.

By configuring access control lists effectively, organizations enforce security policies, protect sensitive data, prevent unauthorized access, and manage network traffic efficiently. 

What are ACLs used for?

ACLs started as an access control mechanism for files and resources in operating systems. Over time, its use has expanded.

Modern computer applications, from relational databases to enterprise resource planning (ERP) and content management systems (CMS), have ACLs in their system administration modules. Cloud computing services like cloud storage solutions also use ACLs for granular access control. Amazon Web Services (AWS), for instance, provides ACLs to manage access to buckets and objects in their storage solution.

In network security, ACLs can be implemented at any point in the network. They’re most commonly placed at edge routers in a demilitarized zone (also known as a DMZ network) that separates the public internet and internal network. 

Most social networking sites like Facebook also use ACL as their main access control model. Users can specify who can access their profiles, friend lists, or calendars.

How does ACL work?

ACLs are used to control a subject’s access to objects. Here, the subject can be any entity authenticated by a computer system or network: users, programs, or processes in a system. The accessed object is any securable entity in the system or network, like files, programs, data, computers, printers, devices, networks, or containers. 

ACL allows system administrators to dictate who can access a specific object and which actions they can perform with the resource. 

For this purpose, each ACL has a list of entries called access control entries (ACE). ACE lists the ACL name or ID of the users or groups that have access to a particular object. It also defines the access rights allowed for those users. Every time a user or a group tries to access the object, their rights are checked against the list of ACEs.

If the ACE conditions are met, access is granted. If not, access is denied. 

To understand this better, let’s look at the workings of two major types of ACLs: filesystem ACL and network ACL.

How filesystem ACL and network ACL work

Let’s look at the filesystem ACL first. Filesystem ACL defines which users are allowed to access a particular file or a directory. Imagine there are some files and folders in the sales department. Everyone on the sales team needs access to see and modify those files. People in the accounts department, however, just need to view the files. 

Now, the file owner or the system administrator can set up an ACL that gives the sales department permission to read, write, and execute, while the accounts department gets just permission to read the file. 

If Andrea from the accounting department tries to modify or delete any file, her access rights will be checked on the list of ACEs. Since it won’t match any ACE, she doesn’t get access to perform the task. 

In a similar fashion, network ACL has a list of ACEs in particular to filter and prioritize traffic. The ACEs contain criteria against which an internet protocol (IP) packet is evaluated. The conditions can be the source and destination addresses of the traffic, protocol, and ports. ACE also contains an action element, i.e., either to permit or deny an IP packet. 

An IP packet entering the network is checked against the ACEs. If it matches the criteria, the packet is allowed access. If not, it's blocked. This is also called packet filtering, which is commonly used in firewall software.

Types of ACLs

Two major types of ACLs are used, depending on the resource they control access to: filesystem ACL and network ACL. Let’s examine these important ACL categories in detail.

1. Filesystem ACL

File system ACL was the very first ACL in the computer security world, implemented in an OS called Multics in 1965. 

With filesystem ACL, you can define more permissions than the usual read, write, and execute permission, unlike the traditional Unix-style file permissions. Further, filesystem ACL enables defining the permission for the file owner, other specific users, and groups. 

Many OS like Windows, MacOS, Linux, and Solaris have in-built filesystem ACLs.

2. Network ACL 

Network ACL, on the other hand, filters traffic to your network to block unauthorized access. It is implemented in the network device interface like routers. The ACL determines which traffic is blocked and which traffic is forwarded to the network.

Components of ACL 

Whether they’re filesystem or network-based, ACLs have distinct components that mention the rules for access.

Filesystem ACL components

A filesystem ACL entry includes the following: 

• File/Object for which the access permissions are set. 
• Owner of the file or object for which ACL is set. 
• User ID or group ID, along with permissions allowed. In Microsoft, a security identifier is used to denote the user ID or group ID. 

Some filesystem ACLs may contain access masks that list the maximum level of access or permission users other than the owners can have.

Network ACL components

A network ACL entry typically comprises: 

• An access-list name to identify the ACL.
• A sequence number to each line of the access list, i.e., the ACE.
• A permit or deny action element.
• A source/destination address of the traffic that should be permitted or allowed.
• The type of network protocol, or port numbers in case of an extended ACL.

Some network ACLs also allow options to comment on ACL entries and log access attempts. 

Other types of ACL in networking

Apart from the two major categories of ACLs mentioned above, networks use other ACLs based on factors like access control mechanisms and the purposes the ACLs serve. 

Based on access control mechanisms

Four distinct variants of network ACLs arise from different ways of access control: standard, extended, dynamic, and reflexive.

1. Standard ACL

A standard access control list is the most common category of network ACL. It filters traffic based on the source IP address of a packet. It is usually configured into routers. Standard ACL doesn’t differentiate between different IP protocols like transmission control protocol (TCP), user datagram protocol (UDP), or hypertext transfer protocol secure (HTTPS). 

2. Extended ACL

The extended access control list can filter network packets based on source and destination addresses, port numbers, protocols, and time ranges. It’s more flexible, customizable, and detailed than a standard ACL.

3. Dynamic ACL

The dynamic access control list is also called a lock and key ACL. It is based on extended ACL but requires additional conditions to be met, like remote connection to the host or local computer via Telnet and authentication before network access is allowed. Dynamic ACL permits connection for a specific time period and provides a timeout feature to halt a network connection. 

This type of ACL is suitable for providing limited access to internal resources to external users for a temporary time period. 

4. Reflexive ACL

A reflexive access list is an improvement on extended ACL. It automatically opens the router to the reply packets in response to the outbound traffic initiated from your network.

Based on the syntax

While creating the different ACLs mentioned here, you can use names or numbers to identify and refer to the access list. Based on the syntax used, there are two types of ACL: numbered and named.

1. Numbered ACL

As the name suggests, a numbered ACL uses a range of numbers that shows the traffic what’s allowed or denied in a network. For example, in standard ACL, users employ the ranges 1-99 and 1300-1999 to denote the source IP addresses they want to deny or allow. Similarly, for extended ACLs, the IP address ranges 100-199 and 2000 to 2699 are used. 

2. Named ACL

In a named ACL, users assign an alphanumeric name to identify the list. This is more convenient than numbered ACLs because users can specify a meaningful name that’s easier to remember. Named ACLs also provide additional advantages, like adding or deleting entries easily without having to delete the entire ACL, a feature that’s absent in numbered access lists.

Based on the purpose

Three different categories of ACLs exist, each serving a unique purpose, like regulating access, auditing, and enforcing strict controls.

1. Discretionary ACL (DACL)

A discretionary access control list (DACL) is a user-oriented access control. Here, an ACE mentions users or groups that are permitted or denied access to a secure object.

2. System ACL (SACL)

The system access control list (SACL) is more about monitoring who is accessing a secured object than controlling access. SACLs log the attempts to access a secured object based on set rules. Here, the ACE specifies the types of access attempts that must be recorded in the security event log.

For instance, an ACE can record any failed access attempt to a secure file, another ACE can log any attempt to write or modify an object, and SACLs can identify any security compromises in the system.

3. Mandatory ACL (MACL)

Unlike other ACL types that allow the owners of an object to define the ACL, the mandatory access control list (MACL) is determined by the system or authority. Users don’t have the ability to override or modify the ACL entries. MACLs help enforce strict control over granting access permissions.

Role-based access control (RBAC) vs. ACL

An ACL and role-based access control (RBAC) sound similar, but let’s look at some differences.

With RBAC, different jobs get different sets of permissions to system resources so that users only have the minimum access needed to complete a task. 

For instance, a system administrator has full access to all applications and resources an enterprise is using. However, specific groups like the sales team only have access to sales software. While the marketing team can access and view sales teams' dashboards, only salespeople can make changes, and add or delete the dashboard.

RBAC is the preferred mechanism for enforcing company-wide access management policies. 

An ACL, on the other hand, offers a “fine grain” level of access control at the individual user level. It’s based on criteria defined in ACEs. Since it works at an individual user level, ACLs are difficult to implement in large enterprise networks. 

Benefits of ACL

Companies use ACL to secure data and restrict unauthorized users from accessing business-sensitive information. This prevents data breaches and other cyberattacks. It also controls network traffic by limiting the number of users accessing files, systems, and information. Here are the advantages of using an access control list for your enterprise network. 

• Improve network security and reduce the chance of spoofing, distributed denial-of-service (DDoS), security breaches, and other cyberattacks.
• Get granular control over user access and network traffic at different points. To give an idea, you can implement NACL near the source or destination of the traffic, and at endpoints, like applications or servers. 
• Limit network traffic to improve network performance. For example, you can restrict video traffic to the network using ACL and reduce network load. 
• Prioritize certain classes of traffic based on the address, type, protocol, and purpose of the data. For instance, you can prioritize voice over internet protocol (VOIP) over other types of traffic using ACL for faster communication via the internet.

Best practices for implementing an ACL

Implementing ACLs for different IT assets in an enterprise network is never the same. Configuring a standard ACL on a router is distinct from configuring an ACL for the cloud storage system. And getting them right is important to avoid the trouble of downtime and network errors. You can follow certain general best practices for effective ACL implementation.

Implement ACLs everywhere

Configure ACLs on any public-facing network interface and within your internal network interface, too. This controls both inbound and outbound access and ensures no device is exposed. You can also create detailed access control for sensitive resources and minimize the impact of security and data breaches.

Align ACLs with security policies

Define what you want your ACLs to do. Consider which individual users and groups need to be given permission and what their level of access is. Base this on the organization’s security policies. This makes sure your ACLs aren’t in conflict with your cybersecurity guidelines.

You can also avoid any potential access problems. Write out detailed ACL rules. Order them properly, as ACL entries are read sequentially. Use your rulebook to prioritize certain access.

Create an ACL library

Document all your ACL. You can use the comment option in ACLs and add descriptions of the ACL rules’ purpose, date of creation, author, and other relevant details. Documenting helps you keep track of all your access control rules so you can manage them better. It also provides you with a library of ACLs that you can edit and reuse at any point.

Restrict, protect, and secure

ACLs are formidable tools in system and network security to control and manage access to sensitive data. They act as gatekeepers, permitting authorized entities while denying entry to potential threats. Fortify your enterprise digital perimeters with ACLs and secure your network.

Learn more about network access control and why your business needs it.