Access Rights for Access-Token Objects

An application cannot change the access control list of an object unless the application has the rights to do so. These rights are controlled by a security descriptor in the access token for the object. For more information about security, see Access Control Model.

To get or set the security descriptor for an access token, call the GetKernelObjectSecurity and SetKernelObjectSecurity functions.

When you call the OpenProcessToken or OpenThreadToken function to get a handle to an access token, the system checks the requested access rights against the DACL in the token's security descriptor.

The following are valid access rights for access-token objects:

  • The DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Access tokens do not support the SYNCHRONIZE standard access right.
  • The ACCESS_SYSTEM_SECURITY right to get or set the SACL in the object's security descriptor.
  • The specific access rights for access tokens, which are listed in the following table.
    ValueMeaning
    TOKEN_ADJUST_DEFAULTRequired to change the default owner, primary group, or DACL of an access token.
    TOKEN_ADJUST_GROUPSRequired to adjust the attributes of the groups in an access token.
    TOKEN_ADJUST_PRIVILEGESRequired to enable or disable the privileges in an access token.
    TOKEN_ADJUST_SESSIONIDRequired to adjust the session ID of an access token. The SE_TCB_NAME privilege is required.
    TOKEN_ASSIGN_PRIMARYRequired to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task.
    TOKEN_DUPLICATERequired to duplicate an access token.
    TOKEN_EXECUTECombines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE.
    TOKEN_IMPERSONATERequired to attach an impersonation access token to a process.
    TOKEN_QUERYRequired to query an access token.
    TOKEN_QUERY_SOURCERequired to query the source of an access token.
    TOKEN_READCombines STANDARD_RIGHTS_READ and TOKEN_QUERY.
    TOKEN_WRITECombines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT.
    TOKEN_ALL_ACCESSCombines all possible access rights for a token.

     

 

 

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.