An Access Control Entry (ACE) is an element in a security descriptor
such as those associated with files and directories. The Windows OS
determines which users have the necessary permissions to access objects
based on these entries.
To fully understand the information exposed by this class a description
of the access check algorithm used by Windows is required. The following
is a basic description of the algorithm. For a more complete description
we recommend reading the section on Access Control in Keith Brown's
"The .NET Developer's Guide to Windows Security" (which is also
available online).
Direct ACEs are evaluated first in order. The SID of the user performing
the operation and the desired access bits are compared to the SID
and access mask of each ACE. If the SID matches, the allow/deny flags
and access mask are considered. If the ACE is a "deny"
ACE and
any of the desired access bits match bits in the access
mask of the ACE, the whole access check fails. If the ACE is an "allow"
ACE and
all of the bits in the desired access bits match bits in
the access mask of the ACE, the access check is successful. Otherwise,
more ACEs are evaluated until all desired access bits (combined)
are "allowed". If all of the desired access bits are not "allowed"
the then same process is repeated for inherited ACEs.
For example, if user
WNET\alice tries to open a file
with desired access bits
0x00000003 (
FILE_READ_DATA |
FILE_WRITE_DATA) and the target file has the following security
descriptor ACEs:
Allow WNET\alice 0x001200A9 Direct
Allow Administrators 0x001F01FF Inherited
Allow SYSTEM 0x001F01FF Inherited
the access check would fail because the direct ACE has an access mask
of
0x001200A9 which doesn't have the
FILE_WRITE_DATA bit on (bit
0x00000002). Actually, this isn't quite correct. If
WNET\alice is in the local
Administrators group the access check
will succeed because the inherited ACE allows local
Administrators
both
FILE_READ_DATA and
FILE_WRITE_DATA access.
DELETE
public static final int DELETE
FILE_APPEND_DATA
public static final int FILE_APPEND_DATA
FILE_DELETE
public static final int FILE_DELETE
FILE_EXECUTE
public static final int FILE_EXECUTE
FILE_READ_ATTRIBUTES
public static final int FILE_READ_ATTRIBUTES
FILE_READ_DATA
public static final int FILE_READ_DATA
FILE_READ_EA
public static final int FILE_READ_EA
FILE_WRITE_ATTRIBUTES
public static final int FILE_WRITE_ATTRIBUTES
FILE_WRITE_DATA
public static final int FILE_WRITE_DATA
FILE_WRITE_EA
public static final int FILE_WRITE_EA
FLAGS_CONTAINER_INHERIT
public static final int FLAGS_CONTAINER_INHERIT
FLAGS_INHERITED
public static final int FLAGS_INHERITED
FLAGS_INHERIT_ONLY
public static final int FLAGS_INHERIT_ONLY
FLAGS_NO_PROPAGATE
public static final int FLAGS_NO_PROPAGATE
FLAGS_OBJECT_INHERIT
public static final int FLAGS_OBJECT_INHERIT
GENERIC_ALL
public static final int GENERIC_ALL
GENERIC_EXECUTE
public static final int GENERIC_EXECUTE
GENERIC_READ
public static final int GENERIC_READ
GENERIC_WRITE
public static final int GENERIC_WRITE
READ_CONTROL
public static final int READ_CONTROL
SYNCHRONIZE
public static final int SYNCHRONIZE
WRITE_DAC
public static final int WRITE_DAC
WRITE_OWNER
public static final int WRITE_OWNER