The discretionary access control list (DACL) within the security descriptor provides an important part of Windows security. The DACL is a list of entries that grant or deny certain rights to specific users or groups. A list entry is called an access control entry (ACE). Each ACE consists of the following:

The following is an example of a DACL:

In this DACL, User1 has read, write, and execute access to the file. Members of the group ToolGroup have read and execute access. Members of the group Everyone (all users) have read and execute access.

The following rules govern access to a file:

In turn, these rules apply to the DACL: