2.4.4 ACE

msdn link

An access control entry (ACE) is used to encode the user rights afforded to a principal, either a user or group. This is generally done by combining an ACCESS_MASK and the SID of the principal. There are some variations to accommodate other groupings, which are specified in the following sections.