Each ACE includes an access mask, which defines all possible actions for a particular object type. Permissions are granted or denied based on this access mask.
One way to think of an access mask is as a sort of menu from which granted and denied permissions are selected:
Figure 6.6 Access Control Mask
Specific types include access options that apply specifically to this object type. Each object type can have up to 16 specific access types. Collectively, the specific access types for a particular object type are called the specific access mask. (These are defined when the object type is defined.) For example, Windows NT files have the following specific access types:
ReadData | WriteEA (Extended Attribute) |
WriteData | Execute |
AppendData | ReadAttributes |
ReadEA (Extended Attribute) | WriteAttributes |
Standard types apply to all objects and consist of these access permissions:
Generic types are broad types of access whose exact implementation is determined by the application defining an object. These rights are used when protecting an object. For example, an application that defines a voice-annotation object might define specific access rights by using VOICE_PLAY and VOICE_EDIT for playing and editing the object. It might set up a generic mapping structure in which GENERIC_EXECUTE maps to VOICE_PLAY and GENERIC_WRITE maps to both VOICE_PLAY and VOICE_EDIT.
The following table shows the generic types that are mapped from specific and standard types:
Generic type |
Mapped from these specific and standard types | |
FILE_GENERIC_READ | STANDARD_RIGHTS_READ | |
FILE_GENERIC_WRITE | STANDARD_RIGHTS_WRITE | |
FILE_GENERIC_EXECUTE | STANDARD_RIGHTS_EXECUTE |
Specific and standard types appear in the details of the security log. Generic types do not appear in the security log. Instead, the corresponding specific and standard types are listed.