1.1.1.9 Inheritance

The DAC model supports a concept of inheritance by which new objects can inherit one or more ACEs from their parent container. In practice, this allows an administrator to establish default security on, for example, a directory, and all new files that are created in that directory receive a preset ACL. Although the owner of the file can still override that ACL and establish its own ACL, if nothing is done (through the premise of DAC), the default is what the administrator has established.

One attribute that can be applied to ACEs is the Object-Inherit flag. This flag indicates that when a new object is created, this ACE is carried forward to the security descriptor of the new object. A Container-Inherit flag indicates that new containers created under this container will receive this ACE. For the file system, this allows different default ACLs for directories as opposed to files. An Inherit-Only flag indicates that when a child object is created, this ACE is carried forward to the security of the child object if either an Object-Inherit or a Container-Inherit flag is present on the parent container object. This Inherit-Only ACE does not control access to the object to which it is attached. For more details, see [MS-DTYP] section 2.4.4.1.