Access Control Matrix and Capability List

This image defines the concepts of ACL, objects, subjects, access control matrix and capability list.

There is often confusion about the relationship between access control matrix and capability list or access control list when in fact these can be captured in a single image for clarity and simplicity purposes. You can think of access control matrix as a security access table which combines ACL and user capability list to define who can access what and to which degree. In the ACM, columns define objects and assigned privileges or ACL, rows list users or subjects, and relationships between rows and columns define user capabilities or UCL.

This image defines the concepts of ACL, objects, subjects, access control matrix and capability list.

Access Control Matrix

Access control matrix is a security model that protects digital resources or “objects” from unauthorized access. It can be thought of as an array of cells with each column and row for users “subject” and object. An entry in a given cell demonstrates a specific subject’s access mode on the corresponding object. Every column represents an object’s access list, while a row is equivalent to a subject’s access profile.

Access Control List (ACL)

ACL is a table that notifies the computer system of a user’s access rights to a given system file or file directory. Every object is assigned a security attribute to establish its access control list. The ACL has a specific entry for every system user with the related access privileges. These privileges touch on the ability to write and read a file or files, and if it is a program of an executable file, it defines the user access to those rights. Some operating systems that use ACLs include Digital’s OpenVMS, Microsoft Windows NT/2000, UNIX, and Novell’s NetWare.

Access Control Matrix vs ACL

The primary difference between the access control matrix and ACL is that the latter defines a set of privileges attached to an object. In contrast, the control matrix outlines the subject’s access permissions on an object. Information security is pivotal within a computerized real-time system. As such, a system implements various measures to achieve just that. The primary criterion is user authentication, which requires the user to furnish the system with personal details. For instance, a system may request the user to insert his username and password to access a file. After authentication, the system will move to authorization, granting rights to the authenticated users. They both permit users to delegate rights for third parties to access resources, information, or systems.

User Capability List

A capability list is a key, token, or ticket that grants the processor approval to access an object within the computer system. The user is evaluated against a capability list before gaining access to a specific object. In addition, a capability list is wholly transferable regardless of its administrator. Such an arrangement eradicates the need for system authentication. Unlike capability lists, ACLs allow users to stop worrying about authentication. Users cannot ignore authentication with a capability list because it is core to the protection mechanism.

ACL vs Capability List

We have to use a real-life scenario to understand the difference between the two lists, and in this case, a bank analogy. John wishes to store all his valuable items in a safe box maintained by a bank. In some cases, he would want one or two of his trustworthy relatives to access the box to make withdraws and deposits. The bank can regulate access to John’s box in two ways: maintain a list of persons John has authorized to access the safe box to or issue John one or multiple access keys to the box.

i)ACL Approach

• Bank’s role: the financial institution must have a list of account holders, verify users, and define privileges. The entity needs to maintain the list’s integrity and authenticate access.
• Adding new users: a user must pay a visit to the bank’s branch to add more users
• Delegation: the approved third parties cannot delegate their access rights to other parties.
• Removing users: when the holder perceives the approved third-party as untrustworthy or not needed, they can delete their names from the list.

ii)Capability Approach

• Bank’s role: the bank is not involved
• Access rights: the holder defines access rights
• Add new users: the holder can assign a key to new users
• Delegation: third-party can extend their privileges to others
• Revoke: holder can recall his key from the thirty-party, but it may be challenging to establish whether they made a copy.

Access Control Matrix and Capability List

A capability list is not appropriate for systems where actions are centered on users. It will result in duplications and complicate the management of rights. Because access matrix does not explicitly define the scale of the protection mechanism, it is often used to model static access privileges in a given access control system. It does not represent the rules of changing rights within a system, and hence partially describes the system’s security policy. Access control and capability-based policies are subsets of a protection mechanism, while an access control matrix can model their static privileges.


In conclusion, the concepts of ACL, objects, subjects, access control matrix and capability list can be defined holistically as indicated in the table diagram. One last item to keep in mind when creating an access control matrix and capability list is the consideration of segregation of duties and least privilege to make sure there are no access conflicts or access creep.

Identity and access management certifications