Conflicts Between Privileges and Permissions

  • Article

For the most part, conflicts between privileges and permissions occur only in situations where the rights required to administer a system overlap the rights of resource ownership. When rights conflict, a privilege overrides a permission.

For example, one common administrative task is backing up files and folders. In order to do its job, backup software must be able to traverse all folders in an NTFS volume, list the contents of each folder, read the attributes of every file, and read data in any file that has its archive attribute set. It would not be practical to arrange this access by coordinating with the owner of every file and folder, so the required rights are included in the Back up files and directories (SeBackupPrivilege) privilege , which is assigned by default to two built-in groups: Administrators and Backup Operators. Any user who has this privilege can access all files and folders on the computer for the purpose of backing up the system. The privilege does not give a user the right to access files and folders for any other purpose. A backup operator cannot, for example, use a word processor to open a file if the owner has not granted the backup operator permission to do so.

The ability to take ownership of files and other objects is another case where an administrator's need to maintain the system takes priority over an owner's right to control access. Normally, you can take ownership of an object only if its current owner gives you permission to do so. Owners of NTFS objects can allow another user to take ownership by granting the other user Take Ownership permission. Owners of Active Directory objects can do the same thing by granting another user Modify Owner permission. If the current owner gives you permission, and you do take ownership, you can do whatever you want with the object. You can even deny the previous owner access to it. For this reason, owners are understandably reluctant to give Take Ownership or Modify Owner permission to anyone. However, the people who own objects do sometimes change jobs or leave the company altogether, and they do not always take care to give another user permission to take ownership of resources they leave behind. This is exactly the type of situation for which the Take ownership of files or other objects (SeTakeOwnershipPrivilege) privilege is intended. A user who has this privilege can take ownership of an object without the current owner's permission. By default, the privilege is assigned only to the built-in Administrators group. Used correctly, it allows an administrator to take ownership of an abandoned resource and then transfer ownership by granting another user Take Ownership or Modify Owner permission.