Each ACE includes an access mask, which defines all possible actions for a particular object type. Permissions are granted or denied based on this access mask.
One way to think of an access mask is as a sort of menu from which granted and denied permissions are selected:
Figure 2.6 Access Control Mask
Specific types include access options that apply specifically to this object type. Each object type can have up to 16 specific access types. Collectively, the specific access types for a particular object type are called the specific access mask. (These are defined when the object type is defined.) For example, Windows NT files have the following specific access types:
ReadData
WriteData
AppendData
ReadEA (Extended Attribute)
WriteEA (Extended Attribute)
Execute
ReadAttributes
WriteAttributes
Standard types apply to all objects and consist of these access permissions:
The following table shows the generic types that are mapped from specific and standard types.
Generic type | Mapped from these specific and standard types |
FILE_GENERIC_READ | STANDARD_RIGHTS_READ |
FILE_GENERIC_WRITE | STANDARD_RIGHTS_WRITE |
FILE_GENERIC_EXECUTE | STANDARD_RIGHTS_EXECUTE |
Specific and standard types appear in the details of the security log.
Note Generic types do not appear in the security log. Instead, the corresponding specific and standard types are listed.