2.5.3 Security Descriptor Algorithms
The security descriptor is the basis for specifying the security associated with an object. The client makes a request to the server that indicates a particular requested access, and the server that "owns" the object is responsible for verifying that a client has sufficient access to the object in order to open or manipulate the object. In order to create a server that maintains the same guarantees of authorization to clients, the access check algorithm has to produce the same results.
The algorithms are straightforward, but are best served by extracting certain support functions out of the main path of the algorithm for clarity. These support functions are documented in the first section.
Note For more information about tokens in Windows, see [MSDN-ACCTOKENS].
When creating new objects, the security descriptor from the parent container of the new object is used as the template for the security descriptor of the new object.