An access right is the right to perform a particular operation on the object. For example, the FILE_READ_DATA access right specifies the right to read from a file.
When you open a handle to an object, you specify a set of access rights corresponding to the operations that may be performed on the object. The system checks the specified access rights against the object's security descriptor to see if each operation is permitted for the current user. (For more information, see Security Descriptors.)
Access rights come in two types:
A specific access right is a right to perform a single operation. Specific access rights can depend on the type of object.
A generic access right is a right to perform one of a set of similar operations. Generic access rights are independent of the type of object.
Standard access rights are specific access rights that apply to all types of objects. For example, the DELETE access right is the right to delete an object, regardless of type. For more information about the available standard access rights, see ACCESS_MASK.
Objects also have specific access rights that depend on the type of the object. For example, the FILE_READ_DATA represents the right to read from a file, while the KEY_QUERY_VALUE represents the right to read the value entries for a registry key.
An object type can have zero, one, or more access rights that correspond to the general notion of reading from or writing to an object. For example, in addition to FILE_READ_DATA, file objects have the FILE_READ_ATTRIBUTES access right, which represents to read a file's metadata (such as file creation time). Key objects have both KEY_QUERY_VALUE and KEY_ENUMERATE_SUBKEYS, which represents the right to read the subkeys of a key.
To simplify specifying all access rights that correspond to a general notion such as reading or writing, the system provides generic access rights. The system maps a generic access right to the appropriate set of specific access rights for the object.
The system provides the following generic access rights:
Thus, the system maps GENERIC_READ to a set of rights that includes FILE_READ_DATA and FILE_READ_ATTRIBUTES for a file, and KEY_QUERY_VALUE and KEY_ENUMERATE_SUBKEYS for a key. For more information about each generic access right, see ACCESS_MASK.