Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Microsoft Developer Network
Click to Rate and Give Feedback
MSDN
MSDN Library
Security
Authorization
About Authorization
Access Control
Access Tokens
 Access Rights for Access-Token Obje...
Access Rights for Access-Token Objects

An application cannot change the access control list of an object unless the application has the rights to do so. These rights are controlled by a security descriptor in the access token for the object. For more information about security, see Access Control Model.

To get or set the security descriptor for an access token, call the GetKernelObjectSecurity and SetKernelObjectSecurity functions.

When you call the OpenProcessToken or OpenThreadToken function to get a handle to an access token, the system checks the requested access rights against the DACL in the token's security descriptor.

The following are valid access rights for access-token objects:

  • The DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Access tokens do not support the SYNCHRONIZE standard access right.
  • The ACCESS_SYSTEM_SECURITY right to get or set the SACL in the object's security descriptor.
  • The specific access rights for access tokens, which are listed in the following table.
    ValueMeaning
    TOKEN_ADJUST_DEFAULTRequired to change the default owner, primary group, or DACL of an access token.
    TOKEN_ADJUST_GROUPSRequired to adjust the attributes of the groups in an access token.
    TOKEN_ADJUST_PRIVILEGESRequired to enable or disable the privileges in an access token.
    TOKEN_ADJUST_SESSIONIDRequired to adjust the session ID of an access token. The SE_TCB_NAME privilege is required.
    TOKEN_ASSIGN_PRIMARYRequired to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task.
    TOKEN_DUPLICATERequired to duplicate an access token.
    TOKEN_EXECUTECombines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE.
    TOKEN_IMPERSONATERequired to attach an impersonation access token to a process.
    TOKEN_QUERYRequired to query an access token.
    TOKEN_QUERY_SOURCERequired to query the source of an access token.
    TOKEN_READCombines STANDARD_RIGHTS_READ and TOKEN_QUERY.
    TOKEN_WRITECombines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT.
    TOKEN_ALL_ACCESSCombines all possible access rights for a token.

     

Send comments about this topic to Microsoft

Build date: 9/11/2009

Community Content   What is Community Content?
Add new content RSS  Annotations
Terms & Defs      ddaS-edEn   |   Edit   |   Show History
Access Token -An access token contains the security information for a logon session. The system creates an access token when a user logs on, and every process executed on behalf of the user has a copy of the token. The token identifies the user, the user's groups, and the user's privileges. The system uses the token to control access to securable objects and to control the ability of the user to perform various system-related operations on the local computer. There are two kinds of access token, primary and impersonation.
Tags What's this?: Add a tag
Flag as ContentBug
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement | Site Feedback
Page view tracker