4.1 Resource Managers

Windows meets these requirements for discretionary access control by providing a single access evaluation routine that any number of resource managers can invoke. Many resource managers—including the file system, registry, Active Directory, and operating system constructs such as processes—exist in a Windows-based system. Even though these resource managers control very different objects, they share a common method for controlling access.

In the Windows authorization model, a resource manager is the code or component that implements one or more object types. The NTFS file system is a resource manager that implements files and directories; the Windows registry is a resource manager that implements keys. To participate in the authorization scheme, the resource manager is required to maintain a security descriptor with each object that is protected. The resource manager merely needs to maintain the storage for the security descriptor and is not required to understand the contents.

The Windows Security Overview also distinguishes between ordinary objects in the resource manager and containers exposed by the resource manager. In the file system example, files are objects, and directories are containers. This distinction is important during the creation of new objects.