Access Masks

Each ACE includes an access mask, which defines all possible actions for a particular object type. Permissions are granted or denied based on this access mask.

One way to think of an access mask is as a sort of menu from which granted and denied permissions are selected:

Figure 2.6 Access Control Mask

Specific types include access options that apply specifically to this object type. Each object type can have up to 16 specific access types. Collectively, the specific access types for a particular object type are called the specific access mask. (These are defined when the object type is defined.) For example, Windows NT files have the following specific access types:

ReadData
WriteData
AppendData
ReadEA (Extended Attribute)
WriteEA (Extended Attribute)
Execute
ReadAttributes
WriteAttributes

Standard types apply to all objects and consist of these access permissions:

SYNCHRONIZE, which is used to synchronize access and to allow a process to wait for an object to enter the signaled state
WRITE_OWNER, which is used to assign write owner
WRITE_DAC, which is used to grant or deny write access to the discretionary ACL
READ_CONTROL, which is used to grant or deny read access to the security descriptor and owner
DELETE, which is used to grant or deny delete access

The following table shows the generic types that are mapped from specific and standard types.

Generic type	Mapped from these specific and standard types
FILE_GENERIC_READ	STANDARD_RIGHTS_READ FILE_READ_DATA FILE_READ_ATTRIBUTES FILE_READ_EA SYNCHRONIZE
FILE_GENERIC_WRITE	STANDARD_RIGHTS_WRITE FILE_WRITE_DATA FILE_WRITE_ATTRIBUTES FILE_WRITE_EA FILE_APPEND_DATA SYNCHRONIZE
FILE_GENERIC_EXECUTE	STANDARD_RIGHTS_EXECUTE FILE_READ_ATTRIBUTES FILE_EXECUTE SYNCHRONIZE

Specific and standard types appear in the details of the security log.

Note Generic types do not appear in the security log. Instead, the corresponding specific and standard types are listed.