- determines which events (for example successful or failed attempts to access an object) should generate an audit record in the security event log for auditing purposes
- each SACL contains Access Control Entries (ACE) that specify the security principals, the objects properties and weather success, failure or both should be logged and audited