Access control list in AP Cybersecurity

An access control list (ACL) is a list attached to a resource (like a file, folder, or network device) that specifies which users or groups can access it and what actions they're allowed to perform.

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is access control list?

An access control list (ACL) is exactly what it sounds like: a list of rules that decides who gets in and what they can do once they're in. Picture a guest list at a club door. Each entry names a person (or a group) and the permissions they have, like read, write, or execute. When someone tries to access a resource, the system checks the ACL and either allows or denies the request.

ACLs live on the authorization side of security, which is the step that happens after authentication. Authentication (Topic 4.2) proves who you are by checking factors like something you know, have, or are. Authorization then decides what you're allowed to touch. An ACL is one of the most common tools for enforcing that decision. You'll see ACLs on files and folders in an operating system, and you'll also see them on network devices like routers and firewalls, where they filter traffic based on source, destination, and port.

Why access control list matters in AP Cybersecurity

ACLs sit in Unit 4: Securing Devices, anchored to Topic 4.2 Authentication, but their real job is authorization. Once a system has used an authentication mechanism (EK 4.2.C.1) to verify identity, an ACL is how that system limits a verified user to only what they're supposed to access. That's the principle of least privilege in action. This matters because EK 4.2.B.1 warns that if an adversary compromises a legitimate user's account, they inherit all the access that user had. A tightly scoped ACL shrinks the blast radius. The more precisely you grant permissions, the less damage a stolen password can do.

Keep studying AP Cybersecurity Unit 4

How access control list connects across the course

Authorization (Unit 4)

Authorization is the bigger idea, and an ACL is one concrete way to enforce it. Authentication asks 'who are you?' and authorization asks 'what can you do?'. The ACL is the actual list that answers that second question.

Discretionary Access Control / DAC (Unit 4)

ACLs are the classic mechanism behind DAC. In DAC, the owner of a resource decides who gets access, and they do it by editing the resource's access control list.

Role-Based Access Control / RBAC (Unit 4)

RBAC groups permissions by job role instead of listing individuals one by one. Compared to a long ACL of named users, RBAC scales better in big organizations because you grant access to a role and then drop people into that role.

Password Attacks (Unit 4)

EK 4.2.B.1 says a compromised password gives an adversary everything that user could access. A well-scoped ACL limits how much 'everything' actually is, so tight access control is a damage-control layer that backs up authentication.

Is access control list on the AP Cybersecurity exam?

Expect ACLs to show up in multiple-choice questions about authorization and access control models. A common stem describes a scenario where a user is verified but then either can or can't perform an action, and you identify what mechanism is controlling that, an ACL. You should be able to tell authentication apart from authorization, and to connect ACLs to access control models like DAC and RBAC. No released FRQ uses 'access control list' verbatim, but the concept supports any free-response prompt that asks you to recommend how to limit a user's permissions or apply least privilege to secure a device.

Access control list vs authentication

Authentication verifies your identity (proving you are who you claim to be using a factor like a password). An ACL handles authorization, deciding what a verified user is allowed to access. You authenticate first, then the ACL controls what you can reach. Logging in is not the same as having permission to open every file.

Key things to remember about access control list

  • An access control list (ACL) is a list of rules attached to a resource that says which users or groups can access it and what actions they can perform.

  • ACLs handle authorization (what you can do), which happens after authentication (who you are) verifies your identity.

  • ACLs are the classic mechanism behind Discretionary Access Control (DAC), where the resource owner decides who gets access.

  • A tightly scoped ACL enforces least privilege, which shrinks how much damage a compromised account can do.

  • You'll find ACLs on files and folders in operating systems and on network devices like routers and firewalls.

Frequently asked questions about access control list

What is an access control list in cybersecurity?

It's a list of rules attached to a resource (a file, folder, or network device) that specifies which users or groups can access it and what they're allowed to do, like read, write, or execute. When someone requests access, the system checks the ACL to allow or deny it.

Is an access control list the same as authentication?

No. Authentication proves who you are using a factor like a password or fingerprint. An ACL handles authorization, deciding what a verified user is allowed to access. You authenticate first, and the ACL controls what you can touch afterward.

How is an ACL different from RBAC?

An ACL typically lists individual users or groups and their permissions for a specific resource. Role-Based Access Control (RBAC) assigns permissions to job roles instead, then puts people into roles. RBAC scales better in large organizations because you manage roles instead of editing long per-user lists.

Why do ACLs matter if you already have strong passwords?

Because EK 4.2.B.1 warns that if an attacker steals a legitimate user's password, they get all the access that user had. A tightly scoped ACL limits what any single account can reach, so it contains the damage even when authentication fails.

What access control model uses ACLs?

Discretionary Access Control (DAC) is the model most associated with ACLs. In DAC, the owner of a resource controls access by editing that resource's access control list directly.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.