Systems that use ACLs can be classified into two categories: discretionary and mandatory. A system is said to have discretionary access control if the creator or owner of an object can fully control access to the object, including, for example, altering the object's ACL to grant access to anyone else. A system is said to have mandatory access control (also known as "non-discretionary access control" in the security literature) if it enforces system-wide restrictions that override the permissions stated in the ACL.
Traditional ACL systems assign permissions to individual users, which can become cumbersome in a system with a large number of users. In a more recent approach called role-based access control, permissions are assigned to roles, and roles are assigned to users.
The list is a data structure, usually a table, containing entries that specify individual user or group rights to specific system objects, such as a program, a process, or a file. These entries are known as access control entries (ACEs) in the Microsoft Windows, OpenVMS, Linux and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations an ACE can control whether or not a user, or group of users, may alter the ACL on an object.
The ACL is a concept with several different implementations in various operating systems, although there is a POSIX "standard". (The POSIX security drafts, .1e and .2c, were withdrawn when it became clear their scope was too wide and the work would not complete, but the well-developed parts defining ACLs have been widely implemented and are known as "POSIX ACLs".)