What Are Permissions?
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
What Are Permissions?
In this section
Permissions are a key component of the Windows Server 2003 security architecture that you can use to manage the process of authorizing users, groups, and computers to access objects on a network.
Permissions enable the owner of each securable object, such as a file, Active Directory object, or registry key, to control who can perform an operation or a set of operations on the object or object property. Because access to an object is at the discretion of the object’s owner, the type of access control that is used in Windows Server 2003 is called discretionary access control.
Permissions are different from user rights in that permissions are attached to objects and user rights apply to user accounts. Administrators use user rights (also known as privileges) to assign specific privileges and logon rights to groups or users. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories.
On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers.
Permissions are expressed in the security architecture as access control entries (ACEs). The following figure shows the relationship of permissions to other key components of the authorization and access control model.
The Role of Permissions (as ACEs) in the Authorization and Access Control Model
Technologies Related to Permissions
Permissions are closely related to the following technologies and security components.
File systems (FAT and NTFS)
The file system determines how files on a volume are named, stored, and organized. A file system manages files and folders and the information that is needed by local and remote users to locate and access these items.
A security principal can be a user or computer account or a group of these accounts — that is, any entity that the security system recognizes. User accounts can be used by human users as well as by autonomous processes. Permissions to access objects such as Active Directory objects, files, and registry settings are granted to security principals.
After a user logs on and is authenticated, the system creates an access token for the user that contains the security identifier (SID) of the user and the SIDs of all the domain groups that the user is a member of. Every process that the user creates contains the user’s access token, which is then used to determine whether to grant that user access to a system resource in a given logon session.
Security descriptors and access control lists
If permissions are configured for an object, the object’s security descriptor contains a discretionary access control list (DACL) with SIDs for the users and groups who are allowed or denied access.
The following resources contain additional information that is relevant to this section: