Section 9.1: Access Control List

NTFS stores an access control list (ACL) with every file and folder on an NTFS volume. The ACL contains a list of all user accounts and groups that have been granted access to the file or folder, as well as the type of access that they have been granted. When a user attempts to gain access to a resource, the ACL must contain an entry, called an access control entry (ACE), for the user account or a group to which the user belongs. The entry must allow the type of access that is requested for the user to gain access. If the access control entry does not exist or the entry does not match the type of access the user requests, the user will not be granted access to the resource.