Parts of the Access Control Model
There are two basic parts of the access control model:
- Access tokens, which contain information about a logged-on user
- Security descriptors, which contain the security information that protects a securable object
When a user logs on, the system authenticates the user's account name and password. If the logon is successful, the system creates an access token. Every process executed on behalf of this user will have a copy of this access token. The access token contains security identifiers that identify the user's account and any group accounts to which the user belongs. The token also contains a list of the privileges held by the user or the user's groups. The system uses this token to identify the associated user when a process tries to access a securable object or perform a system administration task that requires privileges.
When a securable object is created, the system assigns it a security descriptor that contains security information specified by its creator, or default security information if none is specified. Applications can use functions to retrieve and set the security information for an existing object.
A security descriptor identifies the object's owner and can also contain the following access control lists:
- A discretionary access control list (DACL) that identifies the users and groups allowed or denied access to the object
- A system access control list (SACL) that controls how the system audits attempts to access the object
An ACL contains a list of access control entries (ACEs). Each ACE specifies a set of access rights and contains a SID that identifies a trustee for whom the rights are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.
Use functions to manipulate the contents of security descriptors, SIDs, and ACLs rather than accessing them directly. This helps ensure that these structures remain syntactically accurate and prevents future enhancements to the security system from breaking existing code.
The following topics provide information about parts of the access control model:
- Access Tokens
- Security Descriptors
- Access Control Lists
- Access Control Entries
- Access Rights and Access Masks
- How AccessCheck Works
- Centralized Authorization Policy
- Security Identifiers