5.1.3.3.4 Checking Control Access Right-Based Access
When evaluating the right to perform an operation that is controlled by a control access right identified by the GUID value G, use the following rules to determine the authorization for the requester's security context:
If the security descriptor has no DACL or its "DACL Present" (DP) bit is not set, then grant the requester the requested control access right.
If the DACL does not have any ACE, then deny the requester the requested control access right.
Evaluate the DACL by examining each ACE in sequence, starting with the first ACE. Perform the following sequence of actions for each ACE in the order as shown. Let the ACCESS_MASK field of the ACE have a value M.
If the "Inherit Only" (IO) flag is set in the ACE, skip the ACE.
If the SID in the ACE does not match any SID in the requester's security context, skip the ACE.
If the ACE type is "Object Access Allowed", the access right RIGHT_DS_CONTROL_ACCESS (CR) is present in M, and the ObjectType field in the ACE is not present, then grant the requested control access right. Stop any further access checks.
If the ACE type is "Object Access Allowed" the access right RIGHT_DS_CONTROL_ACCESS (CR) is present in M, and the ObjectType field in the ACE contains a GUID value equal to G, then grant the requested control access right. Stop any further access checks.
If the ACE type is "Object Access Denied", the access right RIGHT_DS_CONTROL_ACCESS (CR) is present in M, and the ObjectType field in the ACE is not present, then deny the requested control access right. Stop any further access checks.
If the ACE type is "Object Access Denied" the access right RIGHT_DS_CONTROL_ACCESS (CR) is present in M, and the ObjectType field in the ACE contains a GUID value equal to G, then deny the requested control access right. Stop any further access checks.