Access Masks and Access Rights
An access right defines a particular set of abilities that can be granted or
denied to a process when it attempts to use an object. For example, if an
application attempts to create a subkey in the registry but does not have the
KEY_CREATE_SUB_KEY access right, the system does not carry out the operation. An
application usually requests a set of access rights when it opens an object, and in
the case of registry keys, it makes that request when it calls the
RegOpenKeyEx function.
An
access mask is the component of an
access-control entry (ACE) that contains the specific rights, standard rights, and generic rights
defining the access a user or group has to an object. Access masks are also used to
request access rights when an object is opened. For example, an application that
needs to set values, create subkeys, and query values in the registry can open
a key using an access mask that combines the KEY_WRITE and KEY_QUERY_VALUE
access rights.
An access mask is a single 32-bit value. The first 16 bits are the specific
rights and apply only to the object type associated with the access mask. Bits 16
through 23 are the standard rights applying to all objects. Bits 28 through 31
are the generic rights mapped to specific and standard rights when access to
an object is requested.
Generic access rights are broad types of access whose exact implementation is
determined by the application defining an object. These rights are used when
protecting an object. For example, an application that defines a voice-annotation
object might define specific access rights by using VOICE_PLAY and VOICE_EDIT
for playing and editing the object. It might set up a
GENERIC_MAPPING structure in which GENERIC_EXECUTE maps to VOICE_PLAY and GENERIC_WRITE maps
to both VOICE_PLAY and VOICE_EDIT.
The following are the generic rights that have been defined.
Constant
| Meaning
|
GENERIC_ALL
| Read, write, and execute access
|
GENERIC_EXECUTE
| Execute access
|
GENERIC_READ
| Read access
|
GENERIC_WRITE
| Write access
|
If an application receives GENERIC_WRITE access to a file, for example, it has
specific rights allowing it to write and append data to the file, write file
attributes, and write extended attributes. In addition, the application has the
STANDARD_RIGHTS_WRITE and SYNCHRONIZE standard access rights.
The following constants are masks for the standard access rights.
Constant
| Meaning
|
DELETE
| Delete access.
|
READ_CONTROL
| Read access to the security descriptor not including the system ACL.
|
STANDARD_RIGHTS_ALL
| Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access.
|
STANDARD_RIGHTS_EXECUTE
| Currently defined to equal READ_CONTROL.
|
STANDARD_RIGHTS_READ
| Currently defined to equal READ_CONTROL.
|
STANDARD_RIGHTS_REQUIRED
| Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access.
|
STANDARD_RIGHTS_WRITE
| Currently defined to equal READ_CONTROL.
|
SYNCHRONIZE
| Synchronize access. Allows a thread to wait for the object. This access type
is not supported by all object types.
|
WRITE_DAC
| Write access to the discretionary ACL.
|
WRITE_OWNER
| Write access to the owner.
|
The SPECIFIC_RIGHTS_ALL constant denotes all of the specific rights, even
those not be defined for an object.
The system validates each requested access against the process's access token,
so requests for broad access can require a great deal of validation time.
Therefore, it is generally better for applications to avoid requesting the broadest
possible access to an object except when such access is actually required.
Certain rights are commonly used in an ACL to deny access to an object, but they
are rarely used in requests to open an object. In particular, requesting any of
the access rights in the following list has a negative impact on system
performance:
EVENT_ALL_ACCESS
| SECTION_ALL_ACCESS
|
FILE_MAP_ALL_ACCESS
| SEMAPHORE_ALL_ACCESS
|
GENERIC_ALL
| SERVICE_ALL_ACCESS
|
KEY_ALL_ACCESS
| SPECIFIC_RIGHTS_ALL
|
MUTEX_ALL_ACCESS
| STANDARD_RIGHTS_ALL
|
PROCESS_ALL_ACCESS
| THREAD_ALL_ACCESS
|
SC_MANAGER_ALL_ACCESS
| TOKEN_ALL_ACCESS
|
The MAXIMUM_ALLOWED constant specifies that an object is to be opened by using
all the access rights that are valid for the given user. An additional access
type, ACCESS_SYSTEM_SECURITY, is needed to manipulate an object's system ACL.
Neither MAXIMUM_ALLOWED nor ACCESS_SYSTEM_SECURITY can be used in an DACL.
However, you can use ACCESS_SYSTEM_SECURITY in a SACL to audit use of that bit in an
access attempt.
The
MapGenericMask function maps a series of generic rights specified in a
GENERIC_MAPPING structure to specific and standard rights in an access mask. An application
can use the
GENERIC_MAPPING structure to specify the access rights for an object when it is created. When
a client process requests access to the object, the server can use
MapGenericMask to translate the client's requested access into the standard and specific
rights for that object.
To discover whether a client process has the proper access rights to an
object, a server can call the
AccessCheck or
AccessCheckAndAuditAlarm function. The
AreAllAccessesGranted and
AreAnyAccessesGranted functions compare a requested access mask with a granted access mask.
- Software for developers
-
Delphi Components
.Net Components
Software for Android Developers
- More information resources
-
MegaDetailed.Net
Unix Manual Pages
Delphi Examples
- Databases for Amazon shops developers
-
Amazon Categories Database
Browse Nodes Database
