2.2.1.1.1 ACCESS_MASK for All Objects
Certain ACCESS_MASK flags apply equally to all types of objects. These flags are described in the following table.
|
Value |
Meaning |
|---|---|
|
DELETE 0x00010000 |
Delete object. |
|
READ_CONTROL 0x00020000 |
The read value of a DACL and owner in a security descriptor. |
|
WRITE_DAC 0x00040000 |
The write value of a DACL in a security descriptor. |
|
WRITE_OWNER 0x00080000 |
The write value of the owner in a security descriptor. |
|
MAXIMUM_ALLOWED 0x02000000 |
Used in requesting access; get as much access as the server will allow. |
The four high-order bits in ACCESS_MASK values are translated by the responder into specific ACCESS_MASK values using the following tables, depending on the type of the object that the operation is performed on. For numeric values of the symbolic names used in these tables, refer to section 2.2.1.1.2 for policy objects, section 2.2.1.1.3 for account objects, section 2.2.1.1.4 for secret objects, and section 2.2.1.1.5 for trusted domain objects. In the following tables, the symbol '|' is used to indicate that the value represented by the symbol is to be logically combined by using the bitwise OR operation with the other operant.
|
ACCESS_MASK value to be translated |
Translated to when used with policy object |
|---|---|
|
0x80000000 |
POLICY_VIEW_AUDIT_INFORMATION | POLICY_GET_PRIVATE_INFORMATION | READ_CONTROL 0x00020006 |
|
0x40000000 |
POLICY_TRUST_ADMIN | POLICY_CREATE_ACCOUNT | POLICY_CREATE_SECRET | POLICY_CREATE_PRIVILEGE | POLICY_SET_DEFAULT_QUOTA_LIMITS | POLICY_SET_AUDIT_REQUIREMENTS | POLICY_AUDIT_LOG_ADMIN | POLICY_SERVER_ADMIN | READ_CONTROL 0x000207F8 |
|
0x20000000 |
POLICY_VIEW_LOCAL_INFORMATION | POLICY_LOOKUP_NAMES | READ_CONTROL 0x00020801 |
|
0x10000000 |
POLICY_VIEW_LOCAL_INFORMATION | POLICY_VIEW_AUDIT_INFORMATION | POLICY_GET_PRIVATE_INFORMATION | POLICY_TRUST_ADMIN | POLICY_CREATE_ACCOUNT | POLICY_CREATE_SECRET | POLICY_CREATE_PRIVILEGE | POLICY_SET_DEFAULT_QUOTA_LIMITS | POLICY_SET_AUDIT_REQUIREMENTS | POLICY_AUDIT_LOG_ADMIN | POLICY_SERVER_ADMIN | POLICY_LOOKUP_NAMES | DELETE | READ_CONTROL | WRITE_DAC | WRITE_OWNER 0x000F0FFF |
|
ACCESS_MASK value to be translated |
Translated to when used with account object |
|---|---|
|
0x80000000 |
ACCOUNT_VIEW | READ_CONTROL 0x00020001 |
|
0x40000000 |
ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_QUOTAS | ACCOUNT_ADJUST_SYSTEM_ACCESS | READ_CONTROL 0x0002000E |
|
0x20000000 |
READ_CONTROL 0x00020000 |
|
0x10000000 |
ACCOUNT_VIEW | ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_QUOTAS | ACCOUNT_ADJUST_SYSTEM_ACCESS | DELETE | READ_CONTROL | WRITE_DAC | WRITE_OWNER 0x000F000F |
|
ACCESS_MASK value to be translated |
Translated to when used with secret object |
|---|---|
|
0x80000000 |
SECRET_QUERY_VALUE | READ_CONTROL 0x00020002 |
|
0x40000000 |
SECRET_SET_VALUE | READ_CONTROL 0x00020001 |
|
0x20000000 |
READ_CONTROL 0x00020000 |
|
0x10000000 |
SECRET_QUERY_VALUE | SECRET_SET_VALUE | DELETE | READ_CONTROL | WRITE_DAC | WRITE_OWNER 0x000F0003 |
|
ACCESS_MASK value to be translated |
Translated to when used with trusted domain object |
|---|---|
|
0x80000000 |
TRUSTED_QUERY_DOMAIN_NAME | READ_CONTROL 0x00020001 |
|
0x40000000 |
TRUSTED_SET_CONTROLLERS | TRUSTED_SET_POSIX | READ_CONTROL 0x00020014 |
|
0x20000000 |
TRUSTED_QUERY_CONTROLLERS | TRUSTED_QUERY_POSIX | READ_CONTROL 0x0002000A |
|
0x10000000 |
TRUSTED_QUERY_DOMAIN_NAME | TRUSTED_QUERY_CONTROLLERS | TRUSTED_SET_CONTROLLERS | TRUSTED_QUERY_POSIX | TRUSTED_SET_POSIX | TRUSTED_SET_AUTH | TRUSTED_QUERY_AUTH | DELETE | READ_CONTROL | WRITE_DAC | WRITE_OWNER 0x000F007F |