Access Masks

Every ACE carries an access mask -- a 32-bit integer where each bit represents a specific right. The same 32-bit layout is used in three contexts: the ACE's mask (what the rule grants or denies), the requested access (what the caller asks for), and the granted access (what AccessCheck returns).

§5.2.1 Bit layout #

The 32 bits are divided into four regions:

§5.2.1.1 Object-specific rights (bits 0--15) #

Defined by the object type. Different object types assign different meanings to these bits. A file uses bits for read, write, append, execute; a registry key uses bits for query value, set value, create subkey; a token uses bits for query, duplicate, impersonate. Each subsystem defines its own mapping.

§5.2.1.2 Standard rights (bits 16--20) #

Common to all object types:

§5.2.1.3 Special rights (bits 24--25) #

§5.2.1.4 Generic rights (bits 28--31) #

Abstract rights mapped to object-specific rights before evaluation:

§5.2.1.5 Reserved bits #

Bits 21--23 and 26--27 are reserved and MUST NOT be used.

§5.2.2 Generic mapping #

Generic rights exist because SDs need to be portable across object types. A central access policy might say "allow GENERIC_READ on all objects" -- and GENERIC_READ means different specific bits for files versus registry keys.

Each object type defines a GenericMapping table:

Generic mapping happens once, at request time. AccessCheck MUST map any generic bits in the desired mask to object-specific bits using the object type's GenericMapping table, then clear the generic bits. The DACL walk operates exclusively on specific and standard bits.