---
title: "Access Control List — AP Cybersecurity Definition & Exam Guide"
description: "An access control list (ACL) is a set of rules that says who can access a resource and what they can do with it, a core piece of authorization in AP Cybersecurity Unit 4."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/access-control-list"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 4"
---

# Access Control List — AP Cybersecurity Definition & Exam Guide

## Definition

An access control list (ACL) is a list attached to a resource (like a file, folder, or network device) that specifies which users or groups can access it and what actions they're allowed to perform.

## What It Is

An **access control list (ACL)** is exactly what it sounds like: a list of rules that decides who gets in and what they can do once they're in. Picture a guest list at a club door. Each entry names a person (or a group) and the permissions they have, like read, write, or execute. When someone tries to access a resource, the system checks the ACL and either allows or denies the request.

ACLs live on the **[authorization](/ap-cybersecurity/key-terms/authorization "fv-autolink")** side of security, which is the step that happens *after* authentication. Authentication ([Topic 4.2](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7 "fv-autolink")) proves *who you are* by checking factors like something you know, have, or are. Authorization then decides *what you're allowed to touch*. An ACL is one of the most common tools for enforcing that decision. You'll see ACLs on files and folders in an operating system, and you'll also see them on network devices like routers and firewalls, where they filter traffic based on source, destination, and port.

## Why It Matters

ACLs sit in **[Unit 4](/ap-cybersecurity/unit-4 "fv-autolink"): Securing Devices**, anchored to Topic 4.2 [Authentication](/ap-cybersecurity/key-terms/authentication "fv-autolink"), but their real job is authorization. Once a system has used an **authentication mechanism** (EK 4.2.C.1) to verify identity, an ACL is how that system limits a verified user to only what they're supposed to access. That's the principle of least privilege in action. This matters because EK 4.2.B.1 warns that if an adversary compromises a legitimate user's account, they inherit *all* the access that user had. A tightly scoped ACL shrinks the blast radius. The more precisely you grant permissions, the less damage a stolen password can do.

## Connections

### [Authorization (Unit 4)](/ap-cybersecurity/key-terms/authorization)

Authorization is the bigger idea, and an ACL is one concrete way to enforce it. Authentication asks 'who are you?' and authorization asks 'what can you do?'. The ACL is the actual list that answers that second question.

### Discretionary Access Control / DAC (Unit 4)

ACLs are the classic mechanism behind DAC. In DAC, the owner of a resource decides who gets access, and they do it by editing the resource's access control list.

### Role-Based Access Control / RBAC (Unit 4)

[RBAC](/ap-cybersecurity/key-terms/rbac "fv-autolink") groups permissions by job role instead of listing individuals one by one. Compared to a long ACL of named users, RBAC scales better in big organizations because you grant access to a role and then drop people into that role.

### Password Attacks (Unit 4)

EK 4.2.B.1 says a compromised password gives an [adversary](/ap-cybersecurity/key-terms/adversary "fv-autolink") everything that user could access. A well-scoped ACL limits how much 'everything' actually is, so tight access control is a damage-control layer that backs up authentication.

## On the AP Exam

Expect ACLs to show up in multiple-choice questions about authorization and access control models. A common stem describes a scenario where a user is verified but then either can or can't perform an action, and you identify what mechanism is controlling that, an ACL. You should be able to tell authentication apart from authorization, and to connect ACLs to access control models like DAC and RBAC. No released FRQ uses 'access control list' verbatim, but the concept supports any free-response prompt that asks you to recommend how to limit a user's permissions or apply least privilege to secure a device.

## access control list vs authentication

Authentication verifies your identity (proving you are who you claim to be using a factor like a password). An ACL handles authorization, deciding what a verified user is allowed to access. You authenticate first, then the ACL controls what you can reach. Logging in is not the same as having permission to open every file.

## Key Takeaways

- An access control list (ACL) is a list of rules attached to a resource that says which users or groups can access it and what actions they can perform.
- ACLs handle authorization (what you can do), which happens after authentication (who you are) verifies your identity.
- ACLs are the classic mechanism behind Discretionary Access Control (DAC), where the resource owner decides who gets access.
- A tightly scoped ACL enforces least privilege, which shrinks how much damage a compromised account can do.
- You'll find ACLs on files and folders in operating systems and on network devices like routers and firewalls.

## FAQs

### What is an access control list in cybersecurity?

It's a list of rules attached to a resource (a file, folder, or network device) that specifies which users or groups can access it and what they're allowed to do, like read, write, or execute. When someone requests access, the system checks the ACL to allow or [deny](/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa "fv-autolink") it.

### Is an access control list the same as authentication?

No. Authentication proves who you are using a factor like a [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink") or fingerprint. An ACL handles authorization, deciding what a verified user is allowed to access. You authenticate first, and the ACL controls what you can touch afterward.

### How is an ACL different from RBAC?

An ACL typically lists individual users or groups and their permissions for a specific resource. Role-Based Access Control (RBAC) assigns permissions to job roles instead, then puts people into roles. RBAC scales better in large organizations because you manage roles instead of editing long per-user lists.

### Why do ACLs matter if you already have strong passwords?

Because EK 4.2.B.1 warns that if an attacker steals a legitimate user's password, they get all the access that user had. A tightly scoped ACL limits what any single account can reach, so it contains the damage even when authentication fails.

### What access control model uses ACLs?

Discretionary Access Control (DAC) is the model most associated with ACLs. In DAC, the owner of a resource controls access by editing that resource's access control list directly.

## Related Study Guides

- [4.2 Authentication](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/access-control-list#resource","name":"Access Control List — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/access-control-list","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/access-control-list#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:31.553Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/access-control-list#term","name":"access control list","description":"An access control list (ACL) is a list attached to a resource (like a file, folder, or network device) that specifies which users or groups can access it and what actions they're allowed to perform.","url":"https://fiveable.me/ap-cybersecurity/key-terms/access-control-list","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.C"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.D"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.2, LO 4.2.B"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is an access control list in cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's a list of rules attached to a resource (a file, folder, or network device) that specifies which users or groups can access it and what they're allowed to do, like read, write, or execute. When someone requests access, the system checks the ACL to allow or [deny](/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa \"fv-autolink\") it."}},{"@type":"Question","name":"Is an access control list the same as authentication?","acceptedAnswer":{"@type":"Answer","text":"No. Authentication proves who you are using a factor like a [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN \"fv-autolink\") or fingerprint. An ACL handles authorization, deciding what a verified user is allowed to access. You authenticate first, and the ACL controls what you can touch afterward."}},{"@type":"Question","name":"How is an ACL different from RBAC?","acceptedAnswer":{"@type":"Answer","text":"An ACL typically lists individual users or groups and their permissions for a specific resource. Role-Based Access Control (RBAC) assigns permissions to job roles instead, then puts people into roles. RBAC scales better in large organizations because you manage roles instead of editing long per-user lists."}},{"@type":"Question","name":"Why do ACLs matter if you already have strong passwords?","acceptedAnswer":{"@type":"Answer","text":"Because EK 4.2.B.1 warns that if an attacker steals a legitimate user's password, they get all the access that user had. A tightly scoped ACL limits what any single account can reach, so it contains the damage even when authentication fails."}},{"@type":"Question","name":"What access control model uses ACLs?","acceptedAnswer":{"@type":"Answer","text":"Discretionary Access Control (DAC) is the model most associated with ACLs. In DAC, the owner of a resource controls access by editing that resource's access control list directly."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 4","item":"https://fiveable.me/ap-cybersecurity/unit-4"},{"@type":"ListItem","position":4,"name":"access control list"}]}]}
```
