The key objective of the Windows NT security model is to monitor and control who accesses which objects. The security model keeps security information for each user, group, and object. It can identify access attempts that are made directly by a user, and it can identify access attempts that are made indirectly by a program or other process running on a user's behalf. Windows NT also tracks and controls access to both objects that users can see in the user interface (such as files and printers) and objects that users can't see (such as processes and named pipes).
As mentioned before, the security model controls not only which users can access which objects; it also controls how they may be accessed. An administrator can assign permissions to users and groups to grant or deny access to particular objects.
For example, these permissions may be assigned to a user for a particular file:
The ability to assign permissions at the discretion of the owner (or other person authorized to change permissions) is called discretionary access control. Administrators can assign permissions to individual users or groups. (For maintenance purposes, it's best to assign permissions to groups.) For example, an administrator can control access to the REPORTS directory by giving GROUP1 read permission and GROUP2 read, write, and execute permissions. (To do this, in File Manager, choose Permissions from the Security menu.)