Access Control List: What are they and how do they work?

Payal Wadhwa

Payal Wadhwa

Jan 13, 2024

Organizations today are increasingly realizing that controls are the first (and sometimes) last line of defense, especially the ones such as access controls. Insiders caused 20% of data breaches because of privilege creep in 2022 according to a report by Verizon. 

Such issues have made network strategies like zero-trust network access (ZTNA) an integral part for organizations that aim to implement layered security. The ZTNA highlights the importance of continuously verifying identity and context for layered security. That’s where access control lists come into the picture and form an essential part of the broader network access strategy.

Access control lists can be used to reduce risks related to privilege escalation and access mismanagement. Minimizing unauthorized access is a crucial mechanism to protect against identity theft, cyberattacks, data exposure, compliance violations, and more.

This blog talks about how ACLs work, the types of ACLs and how you can implement one using best practices.

What is an access control list (ACL)?

An access control list is a register of users and objects with access permissions to critical resources. These rules grant or deny access to critical systems, data and networks based on roles and dictate who can do what with the specific resource.

Why do you need to establish an access control list?

Access control lists are required to prevent unauthorized activities from restricted users. These are also needed to control network data routing to protect sensitive business resources. ACLs can limit or deny permissions to access files and networks to minimize threats and attacks.

Here’s why you need to establish an ACL:

1. Minimize unauthorized access

Access control lists help enforce selective permission rights and deny access attempts by unauthorized users. This maintains the integrity and confidentiality of sensitive data and minimizes the chances of a data breach or data loss caused by access mismanagement.

2. Network traffic steering

Access control lists can restrict access to specific network resources and redirect traffic flow to other servers. So, ACLs installed in routers, switches, or other network devices can help with traffic filtering and improve network efficiency.

3. Enhanced security

ACLs enable access policy enforcement and reduce the attack surface by curtailing unauthorized activity and blocking unwanted network traffic. These robust access barriers translate into enhanced network security and fewer cyber-attacks.

4. Granular level control

ACL defines permissions for user groups or identities and specifies the actions each user can perform on several resources. It also supports any conditional rules such as IP address filtering and principles like default deny or least privilege. All these capabilities facilitate fine-grain monitoring and control of network access and traffic.

5. Better people processes

ACLs can be used in conjunction with role-based access controls to deny/permit access at the time of onboarding. Similarly it can be used to revoke access rights at the time of offboarding.There can be temporary access rules for special projects assigned to employees and even for third-parties and vendors. ACLs thus help streamline several people’s processes.

How does ACL work?

ACLs work by enforcing the specified access rules to permit or restrict access. These rules can be defined based on criteria such as source and destination IP address, protocols, etc. Depending on the type of ACL, the rules ensure that only authorized entities have access to sensitive information assets.

Let us see two cases of how ACLs work here:

Case 1: Filesystem ACLs contain access control entries with permissions defined for users, groups, or other entities that can access files. These permissions define the actions that users or groups can perform on files or directories, such as read-only, write, execute, delete, etc. So, whenever access to a file is requested, the operating system matches any corresponding ACL entry to allow or deny access.

Case 2: Network ACLs are installed in network gateways such as routers and switches to deny or allow traffic based on the rules defined. Each time a data packet requests access to networks, the router scans these predefined rules, and if the packet matches the ‘permit’ criteria, it is allowed access. So, if there is a simple access control rule to deny all traffic from the public internet, the network device will block it accordingly.

Types of access control list

Broadly, access control lists are of two types: Standard ACLs and Extended ACLs. However, there are other classifications based on the choice of operating system and access control domain.

Main category types:

Standard ACL

Standard access control lists are easily configured deployments and, hence, the most popularly used type. These ACLs filter network traffic based on source IP address and can deny or permit all protocols to a specific network segment.

Standard ACLs lack granularity and hence might be used only for basic access controls. These ACLs use numbers 1-99 and 1300-1999 to recognize IP source addresses.

Extended ACL

Extended access lists have complex configurations and consider source, destination addresses, and factors like port numbers for filtering network traffic. The precision of control in EACLs allows blocking or permitting specific protocols or applications rather than the entire suite.

Extended ACLs are used by enterprises, data centers, and other organizations where versatile and complex security policies exist. These ACLs use numbers 100-199 and 2000-2699 for identification purposes.

Standard ACLExtended ACL
Filter traffic based on source IPFilter traffic based on source/destination IP, protocols, ports etc.
Permits/denies entire protocol suiteSelected services can be blocked
Implemented close to destinationImplemented close to source
Access list number range 1-99 and 1300-1999Access list number range 100-199 and 2000-2699

Next, access control lists can be categorized based on domain and choice of operating system.

Based on the access control domain:

Filesystem ACL

Filesystem ACL filters access to files and directories in an operating system. It specifies the users that have access to these files along with the access privileges attached to each user.

Networking ACL

Networking ACL filters access to the entire network. These are used in conjunction with network devices such as routers and switches to regulate network traffic flow.

Based on the choice of operating system

ACL using Linux

Linux ACLs allow for granular-level access controls and permissions for files and directories. This is because of its open-source and flexible nature, which allows for a greater degree of customization. It, however, requires expert assistance for managing the environment.

ACL using Windows

Windows is more straightforward, more stable, and easier to configure and allows for applying file permissions to specific users and groups. It, however, lacks the flexibility and customizations Linux offers. The choice here depends on the use case, existing environment, and other factors such as user-friendliness.

How to implement an access control list?

Access control lists are mostly implemented by network and system administrators, security professionals or IT managers. They ensure that ACLs align with security requirements and business context. ACLs are established at the network level, operating system level, and application level, among others.

1. Understand the access requirements

Understand your network traffic flow to decide what you want to filter. The knowledge about source, destination, and protocols in the traffic is crucial. Next, finalize the criteria for selecting the right type of ACL. This can look like defining parameters such as IP addresses, extended IP addresses and other protocols.

2. Configure ACL as per platform

ACLs can be deployed in diverse environments. The next step is to configure ACLs based on your choice of operating system (such as Windows, Linux, etc.), devices, or services. There are specific syntax and commands for every platform/service etc. Make sure the choice of platform/device/ network service aligns with your requirements and expertise.

3. Set appropriate permissions

The next step is to define ACL permissions for users, groups, or entities. Basic permissions (read, write etc.), special user privileges (execute) or ACL rules for granular-level control must be established. In the case of network ACLs, the criteria for allowing entry to data packets will be defined.

Vital tips:

  • Have at least one permit statement while creating an ACL or it will deny all traffic.
  • Include ‘deny all traffic’ at the end of ACL. This implies that if traffic does not match any ACL rules, it will be denied access
  • The ‘deny’ rules must be ‘explicit.’
  • Do not use generic destinations such as ‘any’

4. Begin with implementation

Start the implementation process by using the necessary commands. Make sure to test rule implementation by accessing resources from various user accounts. Maintain documentation for all configurations and rules so you can refer to them whenever required.

Checkout: A Quick Guide to Compliance Documentation

5. Monitor ACL success

Set up a monitoring mechanism to ensure ACL implementation success. Regularly review these rules and make the desired updates. Remove users who have left the organization or do not require access any longer. Using role-based access controls in conjunction with ACLs can help here.

Components of access control list

Each component of the access control list plays a specific role in deciding who will get what permissions and under what conditions.

Have a look at these 7 components of ACL:

Sequence number: The sequence number helps identify unique objects in the ACL entry and determines the order in which entries are evaluated.

ACL name: ACL name is an alternative to the sequence number and primarily uses unique alphanumeric values for identification.

Remark: A comment or remark is usually added to ACL entries that require a detailed explanation or a clarification of the rule applied. This is also helpful during documentation.

Network protocol: ACLs can be used to grant or deny access to a network protocol such as IP (Internet protocol), TCP (Transmission control protocol), or UDP (User datagram protocol). So, this component can be used to specify the protocols that are denied/allowed based on any set parameters. 

Log: Logs provide a record of incoming and outgoing network traffic and are an optional feature used to provide insights from monitoring activities.

Statement: Permit or deny statements can be set as rules and used to filter the incoming and outgoing traffic. These statements contain information such as source and destination addresses. The router evaluates the statements sequentially and if a data packet does not match the statement, it can deny the entry accordingly.

Source/destination: The source address or destination address helps determine access or denied entry based on set rules.

Best practices of ACL

Specificity is key when establishing access control lists. The naming conventions and sequence should be taken care of to avoid ambiguity and errors. You must also reduce the volume of source and destination traffic for ACL rule optimization.

Check out these best practices for ACL implementation:

Be specific and descriptive

It is crucial to explicitly define what is allowed or denied when finalizing ACL rules. You can specify the source and destination address and other parameters when defining such conditions. Additionally, use descriptive names for ACL rules to make understanding of the intent and purpose easier.

Use ACLs for every interface

Having ACLs for every network interface is crucial because the same rules can’t protect external or public interfaces and internal interfaces from unauthorized access. Implementing rules for all interfaces helps with enhanced security, granular control, and easier traffic segmentation.

Place ACL order rules carefully

ACL rules are processed sequentially, which means that the first rule that is triggered will be matched for reference. If the rule does not match the permit criteria, the ACL rule can deny the entry of data packets. So, specific rules must take precedence over generic/broader rules.

Documentation is crucial

Documentation is especially required for clarity and context of security teams. It also comes in handy during troubleshooting or to enable policy changes and updates. Include rule numbers, descriptions, source and destination addresses, and context added in comments/remarks, along with other necessary details for clear and concise documentation.

Leverage ACL automation tools

Manually managing multiple ACLs can be challenging and time-demanding, and that’s where deployment by ACL automation tools helps. These tools can streamline access control management processes and are a scalable choice while ensuring accuracy for complex ACLs.

Use Sprinto in conjunction with ACLs

Access control lists are gatekeepers of sensitive resources, ensuring security and meeting compliance requirements. However, they cannot be used as a standalone security measure for access controls, especially if you are in a regulated industry. You will need a compliance automation tool like Sprinto for policy enforcement, airtight security measures, continuous control monitoring and more.

Sprinto supports role-based access controls and enables you to assign a designated person for each role. It can automatically publish policy documents and enforce acknowledgment. If can manage all hiring evaluations and offboarding to ensure accurate ACL implementation. As for compliance, it is #1 rated tool on G2 in the category for 100% audit success.


What are some examples of access control lists?

Common examples of ACL include database ACLs, web server ACLs, VPN access control lists and proxy server ACLs.

What is the difference between authorization and access control list?

Authorization policies define what authenticated users can do with the resource while access control lists help enforce these policies at a granular level. Additionally, authorization is user-centric while ACLs specify permissions for access to resources, ie. what a user can do with a particular resource.

What are the 4 types of access controls?

The 4 kinds of access control include mandatory access control, discretionary access control, role-based access control, and attribute-based access control.

What are dynamic and reflexive ACLs?

Dynamic ACLs manage access controls dynamically based on specific attributes and the ACL entries are defined at the time of execution, unlike static fixed entries. These are also known as lock-and-key security.

Reflexive ACLs are used to filter access in situations where outbound traffic is generated from the internal network. It is also known as IP sessions ACL.

Payal Wadhwa

Payal Wadhwa

Payal is your friendly neighborhood compliance whiz! She turns perplexing compliance lingo into actionable advice about keeping your digital business safe and savvy. When she isn’t saving virtual worlds, she’s penning down poetic musings or lighting up local open mics. Cyber savvy by day, poet by night!

How useful was this post?

0/5 - (0 votes)

Found this interesting?
Share it with your friends

Get a wingman for
your next audit.

Schedule a personalized demo and scale business

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.