Summary
An Access Control List (ACL) is an ordered set of rules attached to a resource that specifies which subjects (users, groups, source addresses, services) are allowed which actions on that resource.
What is an ACL?
ACLs appear in many layers of a system. File systems attach ACLs to files and directories to grant or deny read, write, and execute permissions per user or group. Network devices use ACLs as packet filters that allow or block traffic based on addresses, ports, and protocols. Cloud platforms use ACLs on buckets, queues, and APIs. Modern mesh VPNs and Zero Trust gateways express their connectivity policies as identity-based ACLs.
A typical ACL entry combines a subject, a resource pattern, an action, and an effect (allow or deny). Many implementations evaluate the list top to bottom and apply the first matching rule, which means ordering matters and a wrong-placed broad allow can silently override a tighter deny. Modern stacks add explicit deny-by-default semantics to avoid this class of mistake.
In a Zero Trust setup the ACL is identity-aware: rules speak about user attributes and tags rather than IP addresses. NetBird's policy editor, for example, expresses "users in group developers may reach machines tagged dev" — an ACL whose subjects are IdP identities and whose objects are device tags.
Why is an ACL relevant?
- Least privilege: Forces explicit decisions about who can do what
- Auditability: Reviewable, exportable rules support compliance and audits
- Universal pattern: Same mental model across filesystems, networks, cloud, and Zero Trust
- Foundation of segmentation: Building block for micro-segmentation and Zero Trust policies
Related Terms
- Zero Trust: Security model whose policies are typically expressed as identity-based ACLs
- Firewall: Classic device whose packet rules are network ACLs
- Identity Provider: Source of the subjects that identity-aware ACLs reference
- Mesh VPN: Connectivity is governed by ACLs that combine users, groups, and machine tags