1.1.1.5 Access Rights
The access mask or rights communicate to the authorization system what the process (which is acting on a user's identity) is requesting to do with a resource, for example, read a file or write to a file. For more details, see [MS-DTYP] section 2.4.3.
Different resource managers and resource types have different access rights. Files have read and write access, but processes have entirely different rights, such as terminate the process. However, all resource managers use the same formats for encoding access rights in the access control entries (ACEs). This is done by allowing the resource managers to define their own specific access rights.
Windows accomplishes this by partitioning the access rights space. Access rights can be encoded into a single, 32-bit value in the ACE. The most significant 16 bits are considered standard access rights and are common across all resource managers. These rights include delete access, generic-read access, and other similar rights. These rights are either expected of all resource managers (such as delete) or are used in a way that enable programs to work with multiple resource managers in a similar manner.
The least significant 16 bits are termed object-specific and are meaningful only to the resource manager that defines them. Thus the file system might define that bit 1 indicates the capability to read the file and that bit 2 indicates the capability to write the file, whereas the registry might define bit 1 to enumerate subkeys and bit 2 to read a key's value.
Additionally, DAC supports defining access rights using GUIDs, and in this way arbitrary number of access rights can be defined. Active Directory uses this model as described in [MS-ADTS] section 5.1.3.2.1 and section 5.1.3.2.2.
The following table lists the mapping of resource managers with the corresponding access rights data structure.
|
Resource manager type |
Access rights reference |
|---|---|
|
Active Directory objects |
[MS-ADTS] section 5.1.3.2 |
|
NTFS objects |
|
|
Registry objects |
|
|
Printer objects |