Skip to content

What is an access control list (ACL)?

Black and White PDQ logo
PDQ|November 11, 2024
Illustration of computer with shield and lock that represents security
Illustration of computer with shield and lock that represents security

An access control list (ACL) is a security mechanism that grants or denies user access to system resources based on defined rules. ACLs help ensure the right people access the right files, folders, or networks—while keeping everyone else out. In this guide, you’ll learn how ACLs work, why they matter, and how to configure them effectively.

Think of an access control list like a guest list — just because you're allowed in doesn't mean you can go anywhere you want.

While the concept of an access control rule is relatively straightforward, there’s far more to it than meets the eye. We’ll explain what you should know about access control lists, including their usage, how they work, and different varieties.

What are the benefits of using an access control list?

At the most basic level, an access control list controls who can access what in your environment. ACL benefits include:

  • Enhance security: Allowing every user free reign across all resources opens your business up to massive security risks. One angry employee, stolen laptop, or set of compromised credentials could give an intruder access to personally identifiable information (PII), account numbers, trade secrets, and more. However, if you limit each employee’s access to the objects they need with a filesystem ACL, an incident like this should be more contained.

  • Control the flow of traffic: By restricting allowed protocols and direction for IP addresses or different protocols (TCP, UDP, ICMP), you can control outbound and inbound traffic. While this is crucial for preventing unauthorized access, it can also improve network performance by reducing traffic.

  • Provide granular monitoring: Using a network ACL allows you to control what network traffic is forwarded and dropped, but you can also monitor it on a granular level. Configuring ACL logging collects statistics and information on permitted and dropped packets.

How does an ACL work?

An ACL filters network or file traffic based on defined rules. It checks each packet or file request against its list of permissions and either allows or denies access. It may do this one of two ways:

  • Networking ACLs: A networking ACL applies at layer 3 devices, establishing which traffic can access the network and what activities are permissible.

  • File system ACLs: A file system ACL dictates which users can access specific files and directories and defines their privileges.

The ACL checks incoming and outgoing traffic against each ACL rule to determine compliance and filter traffic accordingly.

What are the key components and setup of an ACL?

ACLs have different components depending on whether you're dealing with network access or file system permissions. Here's how each is structured.

Network ACL components

A network access control list (ACL) defines what traffic is allowed or denied across a network device. Key components include:

  • Sequence number: Identifies the ACL entry

  • ACL name: May be used instead of a number to identify an entry

  • Remark: A router may allow remarks, comments, or descriptions

  • Statement: Permits or denies sources

  • Network protocol: Permits or denies IP, IPX, TCP, ICMP, UDP, NetBIOS, etc.

  • Source or destination: Defines the source or destination as all addresses, an IP range (CIDR), or a single IP

  • Log: Some devices can maintain a log of permitted and denied packets

  • Other criteria: An advanced access control list may allow filtering by IP precedence, type of service (ToS), and differentiated services code point (DSCP) priority

File system ACL components

A file system ACL controls access to files and directories. Components include:

  • Owner: Identifies who owns the ACL

  • Group: Specifies the default group that gets access to files

  • Access rights: Defines the user’s level of access; can contain additional users or groups

How to set up an ACL

Setting up an ACL varies depending on your environment. Network ACLs are typically configured through device-specific CLI or GUI interfaces, depending on the vendor and OS.

You can use PowerShell to configure a folder ACL by retrieving the current settings with the Get-Acl command, modifying the rules, and applying them back to the folder:

$acl = Get-Acl c:\temp $acl.SetAccessRuleProtection($true,$true) $acl | Set-Acl C:\temp

This script:

  • Gets the current ACL for the folder

  • Removes inheritance

  • Applies the modified ACL to the folder

ACL configuration rules to follow

When configuring an access control list, keep the following rules in mind:

  • Use only one ACL per interface, per protocol, per direction

  • List the most specific statements first due to top-down processing

  • Include a permit entry or the implicit deny all statement will block all traffic

What are the different types of ACLs?

There are countless types of ACLs that vary in their designs and benefits. When crafting an IP ACL, you can choose between over a dozen types. However, ACLs generally break down into four main categories: standard, extended, dynamic, and reflexive.

  • Standard ACL: A standard ACL filters traffic based on the source address. This basic type of ACL doesn’t provide robust protection, but it may be useful for simple deployments when security isn’t a major concern.

  • Extended ACL: An extended access control list is capable of filtering based on multiple factors, including source, destination, port, and protocol. This provides greater flexibility. However, since lists remain static, you must actively manage changes.

  • Dynamic ACL: Dynamic ACLs are conditional ACLs that apply when set criteria about the user, device, or metadata tags are met. Tying the ACL to user authentication instead of IP address can make access easier for users who frequently travel or switch computers.

  • Reflexive ACL: Also referred to as IP session ACLs, reflexive ACLs incorporate session filtering and packet filtering capabilities. A reflexive ACL can be used to permit traffic from sessions originating within the network.

How does RBAC differ from an ACL?

RBAC is an access control method based on a user’s role, authority, or competency rather than their identity. For larger organizations, in particular, using RBAC can simplify the administration of each access permission and reduce the IT team’s workload. In contrast, ACL may be more appropriate for low-level data that warrants user-level control.

What are access control list best practices?

Implementing best practices can help keep your access controls current, effective, and manageable. High-priority tasks include:

Develop a baseline

Before creating a new ACL, you should have a clear picture of your company’s current access rights and controls. Understanding the landscape can help you spot holes in your processes and assess the best course of action.

Automate user provisioning

Manual user provisioning and compliance monitoring are time consuming, error prone, and just an all-around pain. Automating the creation, modification, and deletion of user accounts slashes the work for your IT team.

Consider regulatory compliance and the business case

Many industries are subject to compliance requirements that call for an access control program. You should familiarize yourself with these guidelines to ensure your ACL complies. But beyond mere compliance, your ACL should also provide a good ROI by enhancing productivity while limiting your IT team’s time commitment.

Adopt role-based access

Departments and positions vary in their resource needs depending on their responsibilities. Using role-based access control can ensure employees have access to the resources they need while reducing the administrative burden.

Use the principle of least privilege

Security experts tout the principle of least privilege. This just means to always err on the side of caution when granting access. Each employee should have the bare minimum access that’s necessary to do their job. Since IT and security staff need broader access and oversee the access controls, their accounts should be closely monitored. An angry IT or security professional can do serious damage if they become a malicious insider.


Access control lists may not be glamorous, but they’re one of the most effective tools for securing networks, systems, and sensitive data. Whether you're building a new policy or auditing an old one, understanding how ACLs work — and how to configure them properly — can save you from major headaches down the line. For more quick-hit definitions like this, check out our Sysadmin Glossary, or connect with the PDQ community to trade scripts, solutions, and sarcastic comments about implicit deny rules.

Black and White PDQ logo
PDQ

PDQ is the best way to have healthy, up-to-date machines automatically. Scan your environment for vulnerabilities and streamline your patch management and software deployment processes — whether you manage 15 machines or 15,000.

Related articles