Access Masks

Each ACE includes an access mask, which defines all possible actions for a particular object type. Permissions are granted or denied based on this access mask.

One way to think of an access mask is as a sort of menu from which granted and denied permissions are selected:

Figure 2.6 Access Control Mask

Specific types include access options that apply specifically to this object type. Each object type can have up to 16 specific access types. Collectively, the specific access types for a particular object type are called the specific access mask. (These are defined when the object type is defined.) For example, Windows NT files have the following specific access types:

ReadData
WriteData
AppendData
ReadEA (Extended Attribute)
WriteEA (Extended Attribute)
Execute
ReadAttributes
WriteAttributes

Standard types apply to all objects and consist of these access permissions:

The following table shows the generic types that are mapped from specific and standard types.

Generic type

Mapped from these specific and standard types

FILE_GENERIC_READ

STANDARD_RIGHTS_READ
FILE_READ_DATA
FILE_READ_ATTRIBUTES
FILE_READ_EA
SYNCHRONIZE

FILE_GENERIC_WRITE

STANDARD_RIGHTS_WRITE
FILE_WRITE_DATA
FILE_WRITE_ATTRIBUTES
FILE_WRITE_EA
FILE_APPEND_DATA
SYNCHRONIZE

FILE_GENERIC_EXECUTE

STANDARD_RIGHTS_EXECUTE
FILE_READ_ATTRIBUTES
FILE_EXECUTE
SYNCHRONIZE


Specific and standard types appear in the details of the security log.

Note Generic types do not appear in the security log. Instead, the corresponding specific and standard types are listed.