{"id":25833,"date":"2007-07-26T10:00:00","date_gmt":"2007-07-26T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2007\/07\/26\/how-do-the-names-in-the-file-security-dialog-map-to-access-control-masks\/"},"modified":"2007-07-26T10:00:00","modified_gmt":"2007-07-26T10:00:00","slug":"how-do-the-names-in-the-file-security-dialog-map-to-access-control-masks","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20070726-00\/?p=25833","title":{"rendered":"How do the names in the file security dialog map to access control masks?"},"content":{"rendered":"<p>When you call up the file security dialog, you&#8217;ll see options like &#8220;Full Control&#8221; and &#8220;Read and Execute&#8221;. That&#8217;s really nice as friendly names go, but when you&#8217;re digging into the security descriptor, you may need to know what those permissions really map to when it comes down to bits.\n First, the summary attributes:<\/p>\n<table border=\"1\">\n<tr>\n<th>Friendly name<\/th>\n<th>Access mask<\/th>\n<th>Inheritance<\/th>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Full control<\/td>\n<td valign=\"BASELINE\"><code>FILE_ALL_ACCESS<\/code><\/td>\n<td valign=\"BASELINE\"><code>CONTAINER_INHERIT_ACE&nbsp;+ OBJECT_INHERIT_ACE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Modify<\/td>\n<td valign=\"BASELINE\"><code>FILE_GENERIC_READ&nbsp;| FILE_GENERIC_WRITE&nbsp;|     FILE_GENERIC_EXECUTE&nbsp;| DELETE<\/code><\/td>\n<td valign=\"BASELINE\"><code>CONTAINER_INHERIT_ACE&nbsp;+ OBJECT_INHERIT_ACE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Read and execute<\/td>\n<td valign=\"BASELINE\"><code>FILE_GENERIC_READ&nbsp;| FILE_GENERIC_EXECUTE<\/code><\/td>\n<td valign=\"BASELINE\"><code>CONTAINER_INHERIT_ACE&nbsp;+ OBJECT_INHERIT_ACE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">List folder contents<\/td>\n<td valign=\"BASELINE\"><code>FILE_GENERIC_READ&nbsp;| FILE_GENERIC_EXECUTE<\/code><\/td>\n<td valign=\"BASELINE\"><code>CONTAINER_INHERIT_ACE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Read<\/td>\n<td valign=\"BASELINE\"><code>FILE_GENERIC_READ<\/code><\/td>\n<td valign=\"BASELINE\"><code>CONTAINER_INHERIT_ACE&nbsp;+ OBJECT_INHERIT_ACE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Write<\/td>\n<td valign=\"BASELINE\"><code>FILE_GENERIC_WRITE &amp; ~READ_CONTROL<\/code><\/td>\n<td valign=\"BASELINE\"><code>CONTAINER_INHERIT_ACE&nbsp;+ OBJECT_INHERIT_ACE<\/code><\/td>\n<\/tr>\n<\/table>\n<p> If you go to the Advanced view, then you get much more precise control:<\/p>\n<table border=\"1\">\n<tr>\n<th>Friendly name<\/th>\n<th>Access mask<\/th>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Traverse Folder&nbsp;\/ Execute File<\/td>\n<td valign=\"BASELINE\"><code>FILE_TRAVERSE == FILE_EXECUTE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">List Folder&nbsp;\/ Read Data<\/td>\n<td valign=\"BASELINE\"><code>FILE_LIST_DIRECTORY == FILE_READ_DATA<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Read Attributes<\/td>\n<td valign=\"BASELINE\"><code>FILE_READ_ATTRIBUTES<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Read Extended Attriibutes<\/td>\n<td valign=\"BASELINE\"><code>FILE_READ_EA<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Create Files&nbsp;\/ Write Data<\/td>\n<td valign=\"BASELINE\"><code>FILE_ADD_FILE == FILE_WRITE_DATA<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Create Folders&nbsp;\/ Append Data<\/td>\n<td valign=\"BASELINE\"><code>FILE_ADD_SUBDIRECTORY == FILE_APPEND_DATA<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Write Attributes<\/td>\n<td valign=\"BASELINE\"><code>FILE_WRITE_ATTRIBUTES<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Write Extended Attributes<\/td>\n<td valign=\"BASELINE\"><code>FILE_WRITE_EA<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Delete Subfolders and Files<\/td>\n<td valign=\"BASELINE\"><code>FILE_DELETE_CHILD<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Delete<\/td>\n<td valign=\"BASELINE\"><code>FILE_DELETE<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Read Permissions<\/td>\n<td valign=\"BASELINE\"><code>READ_CONTROL<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Change Permissions<\/td>\n<td valign=\"BASELINE\"><code>WRITE_DAC<\/code><\/td>\n<\/tr>\n<tr>\n<td valign=\"BASELINE\">Take Ownership<\/td>\n<td valign=\"BASELINE\"><code>WRITE_OWNER<\/code><\/td>\n<\/tr>\n<\/table>\n<p> (In the Advanced view, you control inheritance from the &#8220;Apply to&#8221; drop-down combo box.)\n Note that the &#8220;Delete Subfolders and Files&#8221; and &#8220;Delete&#8221; attributes together determine whether you can delete a file or subdirectory: You can delete an item either if you have <code>DELETE<\/code> permission on the item <strong>or<\/strong> if you have <code>DELETE_CHILD<\/code> permission on its parent. This &#8220;combo&#8221; allows you to set up a directory where everybody can create files and can delete files that they have created, while still retaining the ability as the directory&#8217;s owner to delete any file in it. You do this by granting yourself <code>DELETE_CHILD<\/code> permission on the directory and granting <code>DELETE<\/code> to <code>CREATOR_OWNER<\/code> as an inheritable attribute. Since you have <code>DELETE_CHILD<\/code> permission, you can delete anything in the directory. And since the creator\/owner has <code>DELETE<\/code> permission, people can delete the files that they themselves created.<\/p>\n<p> [Update 2pm: INHERIT_ONLY_ACE should be OBJECT_INHERIT_ACE.] <\/p>\n","protected":false},"excerpt":{"rendered":"<p>When you call up the file security dialog, you&#8217;ll see options like &#8220;Full Control&#8221; and &#8220;Read and Execute&#8221;. That&#8217;s really nice as friendly names go, but when you&#8217;re digging into the security descriptor, you may need to know what those permissions really map to when it comes down to bits. First, the summary attributes: Friendly [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[104],"class_list":["post-25833","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-tipssupport"],"acf":[],"blog_post_summary":"<p>When you call up the file security dialog, you&#8217;ll see options like &#8220;Full Control&#8221; and &#8220;Read and Execute&#8221;. That&#8217;s really nice as friendly names go, but when you&#8217;re digging into the security descriptor, you may need to know what those permissions really map to when it comes down to bits. First, the summary attributes: Friendly [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/25833","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=25833"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/25833\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=25833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=25833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=25833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}