An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL.
(ACL是一个包含多个ACE的列表。ACL中的每个ACE标识了一个受信成员,并且指明了该受信成员的允许、拒绝或者审计访问权限。每个受保护对象的安全描述符包含两种类型的ACL:一个DACL和一个SACL。)
A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied. For more information, see How DACLs Control Access to an Object. For information about how to properly create a DACL, see Creating a DACL.
(DACL确定一个受信成员对一个受保护对象的访问是允许还是拒绝。当一个进程试图访问一个受保护的对象时,系统会检查该对象的DACL中的ACE,来决定是否将访问权限赋予该进程。若该受保护对象没有DACL,系统将赋予每个人对该受保护对象的所有访问权限。若该对象的DACL中ACE为空,那么系统将拒绝所有试图对该对象的访问,因为该对象的DACL不允许任何访问权限。系统按照顺序检查DACL中的ACE,直到找到一个或者多个允许所有的请求访问权限,或者任意一个拒绝的请求访问权限。DACL:discretionary access control list,discretionary:任意的,自由决定的)
A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both. For more information about SACLs, see Audit Generation and SACL Access Right.
(SACL能帮助管理员记录试图访问受保护对象的行为。每个ACE指明一个特定的受信成员引起系统在安全记录日志中生成记录的试图访问行为的类型。当一个访问失败或者成功或者两者都有时,SACL中的ACE将生成审计记录。SACL:system access control list)