Glossary

Attribute Type Description
ACE Access Control Entry. An entry in an ACL that contains: a SID that specifies a particular user or group; an access mask that specifies access rights; a set of bit flags that determine whether or not child objects can inherit the ACE; a flag that indicates the type of ACE.
ACL Access Control List. List of access permissions that apply to an object. The list identifies users and groups that are allowed access and what operations are allowed to be performed.
B-tree Tree data structure that keeps data sorted and allows searches, insertions, and deletions in logarithmic amortized time. It is most commonly used in databases and file systems.
B+ tree Tree data structure with sorted data records, each of which is identified by a key. It is a dynamic, multilevel index, with maximum and minimum bounds on the number of keys in each index segment (usually called a 'block' or 'node'). In a B+ tree, in contrast to a B-tree, all records are stored at the lowest level of the tree; only keys are stored in interior blocks.
DACL Discretionary Access Control List. Part of the Security Descriptor that controls access to an object and contains ACEs that specify what access is permitted. The object's owner passes permission (directly or indirectly) through this descriptor.
Hash Potentially non-unique shorthand representation of a descriptor.
LUID Locally Unique Identifier. 64-bit value guaranteed to be unique only on the system on which it was generated (while system remains running)
POSIX Portable Operating System Interface. Family of related standards to define the API (Application Programming Interface) for software compatible with variants of the Unix operating system.
SACL System Access Control List. Part of the Security Descriptor that controls how access is audited. It contains ACEs that specify how access to the object (by permitted accounts) should be recorded in the audit log.
SAM Security Accounts Manager. Secure database of user accounts stored in the Windows registry.
$SDH index Index attribute in the $Secure file. Lets NTFS quickly determine whether a security descriptor that is being applied to a file or directory is already stored in the $Secure file and whether it can be shared.
$SDS Data Stream Security Descriptor Stream. Named data stream that contains a list of all the Security Descriptors on a volume.
$Secure Metadata file that operates as a central file system security database for NTFS permissions.
Security Descriptor Part of the SDS Data Stream that contains security information about an object.
Security ID File system object identifier ($STANDARD_INFORMATION field) used as key in $SII index and $SDS data stream in $Secure file.
SID Security Identifier. Unique value of variable length that is used to identify a security principal or security group.
$SII index Security ID Index. Index attribute in the $Secure file that contains a calculated Hash and a corresponding $SDS Offset. The $SII index lets NTFS quickly look up a security descriptor in the $Secure file while performing security