Editing Access-control list (section)

== Implementations ==
Many kinds of operating systems implement ACLs or have a historical implementation; the first implementation of ACLs was in the [[filesystem]] of [[Multics]] in 1965.<ref>{{cite book |title=Elementary Information Security |author=Richard E. Smith |page=150}}</ref><ref>{{Cite conference |last1=Daley |first1=R. C. |last2=Neumann |first2=P. G. |date=1965 |title=A general-purpose file system for secondary storage |url=http://portal.acm.org/citation.cfm?doid=1463891.1463915 |book-title=AFIPS '65 (Fall, part I): Proceedings of the November 30--December 1, 1965, fall joint computer conference, part I |language=en |publisher=ACM Press |pages=213 |doi=10.1145/1463891.1463915}}</ref>

=== Filesystem ACLs ===
A [[filesystem]] ACL is a [[data structure]] (usually a table) containing entries that specify individual user or [[Group (computing)|group]] rights to specific system objects such as programs, [[Process (computing)|processes]], or files. These entries are known as access-control entries (ACEs) in the Microsoft [[Windows NT]],<ref>{{cite web |url= https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb457115(v=technet.10) |title=Managing Authorization and Access Control |date= 2009-09-11 |publisher= [[Microsoft Learn]] |access-date= 2024-05-15}}</ref> [[OpenVMS]], and [[Unix-like]] [[operating system]]s such as [[Linux]], [[macOS]], and [[Solaris (operating system)|Solaris]]. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or [[execution (computing)|execute]] an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object.

One of the first operating systems to provide filesystem ACLs was Multics. [[PRIMOS]] featured ACLs at least as early as 1984.<ref>{{cite news |date = 1984-05-21 |title= P.S.I. Pacer Software, Inc. Gnet-II revision 3.0 |url = https://books.google.com/books?id=KAUpSdv4AO4C | department = Communications |work = Computerworld |volume= 18 |issue= 21 |page = 54 |issn = 0010-4841 |access-date= 2017-06-30 |quote= The new version of Gnet-II (revision 3.0) has added a line-security mechanism which is implemented under the Primos ACL subsystem.}}</ref>

In the 1990s the ACL and [[role-based access control]] (RBAC) models were extensively tested{{by whom|date=June 2017}} and used to administer file permissions.

==== POSIX ACL ====
[[POSIX]] 1003.1e/1003.2c working group made an effort to standardize ACLs, resulting in what is now known as "POSIX.1e ACL" or simply "POSIX ACL".<ref>{{cite web |last1=Grünbacher |first1=Andreas |title=POSIX Access Control Lists on Linux |url=https://www.usenix.org/legacy/publications/library/proceedings/usenix03/tech/freenix03/full_papers/gruenbacher/gruenbacher_html/main.html |website=Usenix |access-date=12 December 2019}}</ref> The POSIX.1e/POSIX.2c drafts were withdrawn in 1997 due to participants losing interest for funding the project and turning to more powerful alternatives such as NFSv4 ACL.<ref>{{cite web |last1=wurtzkurdle |title=Why was POSIX.1e withdrawn? |url=https://unix.stackexchange.com/a/506641 |website=Unix StackExchange |access-date=12 December 2019}}</ref> {{As of|2019|12}}, no live sources of the draft could be found on the Internet, but it can still be found in the [[Internet Archive]].<ref>{{cite web |last1=Trümper |first1=Winfried |title=Summary about Posix.1e |url=https://wt.xpilot.org/publications/posix.1e/ |archive-url=https://web.archive.org/web/20080723061358/https://wt.xpilot.org/publications/posix.1e/ |archive-date=2008-07-23 |date=February 28, 1999}}</ref>

Most of the Unix and Unix-like operating systems (e.g. [[Linux]] since 2.5.46 or November 2002,<ref>{{cite web |url= https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Release_Notes/as-x86/index.html 
|title= Red Hat Enterprise Linux AS 3 Release Notes (x86 Edition) |quote= EA (Extended Attributes) and ACL (Access Control Lists) functionality is now available for ext3 file systems. In addition, ACL functionality is available for NFS. |year= 2003 |publisher= [[Red Hat]] |access-date= 2013-04-08 |archive-url=https://web.archive.org/web/20131202221514/https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Release_Notes/as-x86/index.html |archive-date=2013-12-02 |url-status=dead}}</ref> [[FreeBSD]], or Solaris) support POSIX.1e ACLs (not necessarily draft&nbsp;17). ACLs are usually stored in the extended attributes of a file on these systems.

==== NFSv4 ACL ====
[[NFSv4]] ACLs are much more powerful than POSIX draft ACLs. Unlike draft POSIX ACLs, NFSv4 ACLs are defined by an actually published standard, as part of the [[Network File System]].

NFSv4 ACLs are supported by many Unix and Unix-like operating systems. Examples include [[AIX]], [[FreeBSD]],<ref>{{cite web |url= https://wiki.freebsd.org/NFSv4_ACLs |title= NFSv4 ACLs |date= 2011-09-12 |publisher= [[FreeBSD]] |access-date= 2013-04-08}}</ref> [[Mac OS X]] beginning with version 10.4 ("[[Mac OS X Tiger|Tiger]]"), or Solaris with [[ZFS]] filesystem,<ref>{{cite web |url= https://docs.oracle.com/cd/E19082-01/817-2271/ftyxi/index.html |title= Chapter 8 Using ACLs and Attributes to Protect ZFS Files |publisher= [[Oracle Corporation]] |date= 2009-10-01 |access-date= 2013-04-08}}</ref> support NFSv4 ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for [[Ext3]] filesystem<ref>{{cite web |url= http://users.suse.com/~agruen/nfs4acl/ |title= Native NFSv4 ACLs on Linux |first= Andreas |last= Grünbacher |date= May 2008 |publisher= [[SUSE S.A.|SUSE]] |archive-url= https://web.archive.org/web/20130620012339/http://users.suse.com/~agruen/nfs4acl/ |archive-date= 2013-06-20 |url-status= dead |access-date= 2013-04-08}}</ref> and the more recent [[Richacls]], which brings NFSv4 ACLs support for [[Ext4]] filesystem.<ref>{{cite web |url=http://www.bestbits.at/richacl/| title=Richacls – Native NFSv4 ACLs on Linux |first=Andreas |last=Grünbacher |date=July–September 2010 |publisher=bestbits.at |access-date=2013-04-08 |archive-url=https://web.archive.org/web/20130320080142/http://www.bestbits.at/richacl/ |archive-date=2013-03-20 |url-status=dead}}</ref> As with POSIX ACLs, NFSv4 ACLs are usually stored as extended attributes on Unix-like systems.

NFSv4 ACLs are organized nearly identically to the Windows&nbsp;NT ACLs used in [[NTFS]].<ref>{{cite web |url=https://wiki.linux-nfs.org/wiki/index.php/ACLs#NFSv4_and_Windows_ACLs |title=ACLs |website=Linux NFS}}</ref> NFSv4.1 ACLs are a superset of both NT ACLs and POSIX draft ACLs.<ref>{{cite web |title=Mapping Between NFSv4 and Posix Draft ACLs |url=https://tools.ietf.org/id/draft-ietf-nfsv4-acl-mapping-05.txt}}</ref> [[Samba (software)|Samba]] supports saving the NT ACLs of SMB-shared files in many ways, one of which is as NFSv4-encoded ACLs.<ref>{{cite web |title=vfs_nfs4acl_xattr(8) |url=https://www.samba.org/samba/docs/current/man-html/vfs_nfs4acl_xattr.8.html |website=Samba Manual}}</ref>

=== Active Directory ACLs ===

[[Microsoft]]'s [[Active Directory]] service implements an [[LDAP]] server that stores and disseminates configuration information about users and computers in a domain.<ref>{{cite web |title=[MS-ADTS]: Active Directory Technical Specification |date=7 June 2024 |url=https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/d2435927-0999-4c62-8c6d-13ba31a52e1a}}</ref> Active Directory extends the LDAP specification by adding the same type of access-control list mechanism as Windows&nbsp;NT uses for the NTFS filesystem. Windows&nbsp;2000 then extended the syntax for access-control entries such that they could not only grant or deny access to entire LDAP objects, but also to individual attributes within these objects.<ref>{{cite journal |last=Swift |first=Michael M. |title=Improving the granularity of access control for [[Windows 2000]] |journal=ACM Transactions on Information and System Security |volume=5 |issue=4| pages=398–437 |date=November 2002 |doi=10.1145/581271.581273 |s2cid=10702162}}</ref>

=== Networking ACLs ===
On some types of proprietary computer hardware (in particular, [[router (computing)|routers]] and [[Network switch|switches]]), an access-control list provides rules that are applied to [[Port (computer networking)|port numbers]] or [[IP address]]es that are available on a [[server (computing)|host]] or other [[Network Layer|layer&nbsp;3]], each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure access-control lists based on network [[domain name]]s, this is a questionable idea because individual [[Transmission Control Protocol|TCP]], [[User Datagram Protocol|UDP]], and [[Internet Control Message Protocol|ICMP]] headers do not contain domain names. Consequently, the device enforcing the access-control list must separately [[Name resolution (computer systems)|resolve names]] to numeric addresses. This presents an additional [[attack surface]] for an attacker who is seeking to compromise security of the system which the access-control list is protecting. Both individual [[server (computing)|servers]] and [[router (computing)|routers]] can have network ACLs. Access-control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to [[firewall (networking)|firewalls]]. Like firewalls, ACLs could be subject to security regulations and standards such as [[PCI&nbsp;DSS]].

=== SQL implementations ===
ACL algorithms have been ported to [[SQL]] and to [[Relational database management system|relational database systems]]. Many "modern" (2000s and 2010s) SQL-based systems, like [[enterprise resource planning]] and [[Content management system|content management]] systems, have used ACL models in their administration modules.