When a user tries to access an object, Windows NT compares security information in the user's access token with the security information in the object's security descriptor.
A desired access mask for the subject is created, based on the type of access the user is attempting. This desired access mask, usually created by a program that the user is running, is compared with the object's ACL. (All generic access types in the ACL are mapped to standard and specific access types.) Each ACE in the ACL is evaluated as follows:
1. The security ID in the ACE is compared with the set of security IDs in the user's access token. If a match is not found, the ACE is skipped.
Further processing is based upon the type of the ACE. AccessDenied ACEs are ordered (and therefore processed) before AccessAllowed ACEs.
2. If access is denied, the system checks whether the original desired access mask contained only a ReadControl and WRITE_DAC. If so, the system checks whether the requester is the owner of the object. If so, then access is granted.
3. For an AccessDenied ACE, the actions in the ACE access mask are compared with the desired access mask. If any access is found in both masks, access is denied. Otherwise, processing continues with the next requested ACE.
4. For an AccessAllowed ACE, the actions in the ACE are compared with those listed in the desired access mask. If all accesses in the desired access mask are matched in the ACE, no further processing is necessary, and access is granted. Otherwise, processing continues with the next ACE.
5. If the contents of desired access mask are still not completely matched at the end of the ACL, access is implicitly denied.