the Windows security descriptor when implementing Network File System (NFS) access permissions. The security descriptor is the structure that governs security assignments for Windows. The security descriptor contains the following components:

File owner


File group


Discretionary access control list (DACL)


System access control list (SACL)


 Notes  
  The SACL is used for auditing and does not affect file permissions.  


A list entry is called an access control entry (ACE). Each ACE consists of the following:

A security identifier (SID) to identify a particular user or group. 


An access list that specifies the permissions allowed or denied for the user or group. 


The following is an example of a DACL:

DACL: Mrjones Full Control (All) 


ToolGroup:Read(RX) 


Everyone:Read (RX) 


In this DACL, Mrjones has read, write, and execute access to the file. Members of the group ToolGroup have read-and-execute access. Members of the group Everyone (all users) have read-and-execute access.

The following rules govern access to a file:

If no DACL is present, everyone is granted full access. 


If a DACL is present, but contains no entries, everyone is denied access. 


The file owner always has the ability to change the DACL. 


In turn, these rules apply to the DACL:

DACL entries are searched sequentially. 


All permissions are implicitly denied. 


Once a permission has been denied, it cannot be granted. 


Once a permission has been granted, it cannot be denied.