Kernel objects for implementing a transaction have a security descriptor applied thereto. The kernel objects include, at least, a transaction object, a resource management object, and an enlistment object. The security descriptor, otherwise known as an access control list, identifies at least one user, an operation to be performed on the kernel object to which the security descriptor is applied, and a right indicating that the identified user is permitted or prohibited to perform the operation.