jspωiki
MS Access Mask

Overview#

MS Access Mask is a component within Access Control Entry which is a is a 32-bit Bitmask value whose bits correspond to the access rights supported by an object.

All Microsoft Windows Securable objects use an MS Access Mask format that includes bits for the following types of access Permission:

MS Access Mask Format#

All Securable objects use the access mask format shown as follows:

MS Access Mask/ms-accctrl4.png

In this format,

  • the low-order 16 bits are for object-specific access rights,
  • the next 8 bits are for standard access rights, which apply to most types of objects, and
  • the 4 high-order bits are used to specify generic access rights that each object type can map to a set of standard and object-specific rights.
  • The ACCESS_SYSTEM_SECURITY bit corresponds to the right to access the object's SACL.

MS Access Mask and Microsoft Active Directory#

Microsoft Active Directory uses the same basic Access Control Model-Microsoft Windows for Access Control where each Microsoft Active Directory Securable object has a Security Descriptor assigned to it. A set of trustee permissions (MS Access Mask) can be set within these Security Descriptors. These permissions are listed in the following table:
RightsMeaning
ACTRL_DS_OPENOpen a DS object.
ACTRL_DS_CREATE_CHILDCreate a child DS object.
ACTRL_DS_DELETE_CHILDDelete a child DS object.
ACTRL_DS_LISTEnumerate a DS object.
ACTRL_DS_READ_PROPRead the properties of a DS object.
ACTRL_DS_WRITE_PROPWrite properties for a DS object.
ACTRL_DS_SELFAccess allowed only after validated rights checks supported by the object are performed. This flag can be used alone to perform all validated rights checks of the object or it can be combined with an identifier of a specific validated right to perform only that check.
ACTRL_DS_DELETE_TREEDelete a tree of DS objects.
ACTRL_DS_LIST_OBJECTList a tree of DS objects.
ACTRL_DS_CONTROL_ACCESSAccess allowed only after extended rights checks supported by the object are performed. This flag can be used alone to perform all extended rights checks on the object or it can be combined with an identifier of a specific extended right to perform only that check.

More Information#

There might be more information for this subject on one of the following: