|
Access Masks and Access Rights
An access right defines a particular set of abilities that can be granted or
denied to a process when it attempts to use an object. For example, if an
application attempts to create a subkey in the registry but does not have the
KEY_CREATE_SUB_KEY access right, the system does not carry out the operation. An
application usually requests a set of access rights when it opens an object, and in
the case of registry keys, it makes that request when it calls the RegOpenKeyEx function.
An access mask is the component of an access-control entry (ACE) that contains the specific rights, standard rights, and generic rights
defining the access a user or group has to an object. Access masks are also used to
request access rights when an object is opened. For example, an application that
needs to set values, create subkeys, and query values in the registry can open
a key using an access mask that combines the KEY_WRITE and KEY_QUERY_VALUE
access rights.
An access mask is a single 32-bit value. The first 16 bits are the specific
rights and apply only to the object type associated with the access mask. Bits 16
through 23 are the standard rights applying to all objects. Bits 28 through 31
are the generic rights mapped to specific and standard rights when access to
an object is requested.
Generic access rights are broad types of access whose exact implementation is
determined by the application defining an object. These rights are used when
protecting an object. For example, an application that defines a voice-annotation
object might define specific access rights by using VOICE_PLAY and VOICE_EDIT
for playing and editing the object. It might set up a GENERIC_MAPPING structure in which GENERIC_EXECUTE maps to VOICE_PLAY and GENERIC_WRITE maps
to both VOICE_PLAY and VOICE_EDIT.
The following are the generic rights that have been defined.
Constant
| Meaning
| GENERIC_ALL
| Read, write, and execute access
| GENERIC_EXECUTE
| Execute access
| GENERIC_READ
| Read access
| GENERIC_WRITE
| Write access
|
If an application receives GENERIC_WRITE access to a file, for example, it has
specific rights allowing it to write and append data to the file, write file
attributes, and write extended attributes. In addition, the application has the
STANDARD_RIGHTS_WRITE and SYNCHRONIZE standard access rights.
The following constants are masks for the standard access rights.
Constant
| Meaning
| DELETE
| Delete access.
| READ_CONTROL
| Read access to the security descriptor not including the system ACL.
| STANDARD_RIGHTS_ALL
| Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access.
| STANDARD_RIGHTS_EXECUTE
| Currently defined to equal READ_CONTROL.
| STANDARD_RIGHTS_READ
| Currently defined to equal READ_CONTROL.
| STANDARD_RIGHTS_REQUIRED
| Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access.
| STANDARD_RIGHTS_WRITE
| Currently defined to equal READ_CONTROL.
| SYNCHRONIZE
| Synchronize access. Allows a thread to wait for the object. This access type
is not supported by all object types.
| WRITE_DAC
| Write access to the discretionary ACL.
| WRITE_OWNER
| Write access to the owner.
|
The SPECIFIC_RIGHTS_ALL constant denotes all of the specific rights, even
those not be defined for an object.
The system validates each requested access against the process's access token,
so requests for broad access can require a great deal of validation time.
Therefore, it is generally better for applications to avoid requesting the broadest
possible access to an object except when such access is actually required.
Certain rights are commonly used in an ACL to deny access to an object, but they
are rarely used in requests to open an object. In particular, requesting any of
the access rights in the following list has a negative impact on system
performance:
EVENT_ALL_ACCESS
| SECTION_ALL_ACCESS
| FILE_MAP_ALL_ACCESS
| SEMAPHORE_ALL_ACCESS
| GENERIC_ALL
| SERVICE_ALL_ACCESS
| KEY_ALL_ACCESS
| SPECIFIC_RIGHTS_ALL
| MUTEX_ALL_ACCESS
| STANDARD_RIGHTS_ALL
| PROCESS_ALL_ACCESS
| THREAD_ALL_ACCESS
| SC_MANAGER_ALL_ACCESS
| TOKEN_ALL_ACCESS
|
The MAXIMUM_ALLOWED constant specifies that an object is to be opened by using
all the access rights that are valid for the given user. An additional access
type, ACCESS_SYSTEM_SECURITY, is needed to manipulate an object's system ACL.
Neither MAXIMUM_ALLOWED nor ACCESS_SYSTEM_SECURITY can be used in an DACL.
However, you can use ACCESS_SYSTEM_SECURITY in a SACL to audit use of that bit in an
access attempt.
The MapGenericMask function maps a series of generic rights specified in a GENERIC_MAPPING structure to specific and standard rights in an access mask. An application
can use the GENERIC_MAPPING structure to specify the access rights for an object when it is created. When
a client process requests access to the object, the server can use MapGenericMask to translate the client's requested access into the standard and specific
rights for that object.
To discover whether a client process has the proper access rights to an
object, a server can call the AccessCheck or AccessCheckAndAuditAlarm function. The AreAllAccessesGranted and AreAnyAccessesGranted functions compare a requested access mask with a granted access mask.
| Last news from Greatis Software |
 |
|
Nostalgia .Net |
|
.Net is powerful, but not all-powerful, so sometimes we need to use Win32 API for our .Net applications. It's simple enough with Platform Invoke if you have Win32 skill, but we do not always have time to dig the ancient documentation, declare the special types that are compatible with Win32, find the values of the Win32's constants and so on. Nostalgia .Net offers several simple-to-use classes, and components that will allow you to forget about the headache of Win32 and just use the power of Win32 in your application the same way as you use the native. Net classes. More » |
| Recommended software for developers |
 |
|
Ultimate Pack |
|
Component pack for Delphi and C++ Builder that contains runtime form designer, runtime object inspector, print suite and much more for the very special price. More » |
 |
|
Form Designer .Net |
|
Unique runtime form design solution that allows to edit any form in .Net WinForms application at runtime with full source codes for only 300 euro! More » |
 |
|
Print Suite .Net |
|
Print Suite .Net is a set of components for easy printing texts, images and grids from your WinForms applications. Full C# source codes are available More » |
 |
|
Gradient Controls .Net |
|
Gradient Controls .Net offers controls with gradient background feature. Labels, panels and so on... Full C# source codes are available More » |
 |
|
Greatis iGrid |
|
iGrid plots drawing grid right over your desktop, so you can use it everywhere, with any drawing application without any special plugins for different graphic editors. More » |
All the contacts and projectsDmitry Vasiliev (just.dmitry)
Related LinksSoftware for Visual Studio .NET developers
Software for Delphi and C++ Builder developers
Software for Visual Basic 6 developers
Delphi Tips&Tricks
MegaDetailed.NET More Online Helps Win32 Programmer's Reference
Win32 Multimedia Programmer's Reference
OLE Programmer's Reference
Microsoft Windows Pen API Programmer's Reference
Microsoft Windows Sockets 2 Reference
Microsoft Windows Telephony API (TAPI) Programmer's Reference
Unix Manual Pages
|
