The key objective of the Windows NT security model is to regulate access to objects. The security model maintains security information for each user, group, and object. It can identify access attempts that are made directly by a user, and it can identify access attempts that are made indirectly by a program or other process running on a user's behalf. Windows NT also tracks and controls access to objects that users can see in the user interface (such as files and printers) and objects that users can't see (such as processes and named pipes).
An administrator assigns permissions to users and groups to grant or deny access to particular objects. The ability to assign permissions at the discretion of the owner (or other person authorized to change permissions) is called discretionary access control. For more information, see Chapter 4, "Managing Shared Resources and Resource Security," in Microsoft Windows NT Server Concepts and Planning. For procedural information, see Help.