[ The PC Guide | Systems and Components Reference Guide | Hard Disk Drives | Hard Disk Logical Structures and File Systems | New Technology File System (NTFS) | NTFS Security and Permissions ]
Standard Permission Groups
Windows NT provides a set of six individual permissions for controlling access to files and folders. Windows 2000 refines these individual permissions even further, into a set of over a dozen different permission components. These NTFS permissions allow for fine control of the access rights of users and groups to NTFS objects, but in many cases they are "overkill". To force administrators to always deal with these fine-grained permissions would be a time-consuming chore.
To avoid the necessity of always setting low-level permissions, Windows defines standard permission groups. These are simply collections of the low-level permissions that are given names and can be applied to objects. When you use a permission group, all the components contained in the group are applied to the object automatically.
First, let's look at the standard permission groups for Windows NT:
Standard Permission Group |
Object Types Affected |
Permission
Types Granted |
Description |
|||||
Read (R) |
Write (W) |
Execute (X) |
Delete (D) |
Change Permissions (P) |
Take Ownership (O) |
|||
No Access |
Folders or Files |
Denies all access to the file or folder. The user can see the name of the object, but cannot do anything with it. |
||||||
List |
Folders Only |
 |
|
Users can see the list of files in the folder and traverse subfolders, but cannot view or execute files. |
||||
Read |
Folders or Files |
|
|
Users can read files and folders, execute files and traverse folders, but cannot change anything. |
||||
Add |
Folders Only |
|
|
Users can add files or subfolders to the folder, and can traverse subfolders, but cannot read or execute files. |
||||
Add & Read |
Folders Only |
|
|
|
Users can add files or subfolders to the folder, and can read and execute files in the folder as well. |
|||
Change |
Folders or Files |
|
|
|
|
The user can read, write, execute or delete the file, or if applied to a folder, the files and subfolders within the folder. Note that this does not grant access to delete the folder itself. The user also cannot change permissions on the file or folder, or take ownership of it. |
||
Full Control |
Folders or Files |
|
|
|
|
|
|
All permissions are granted. This also includes the special permission "Delete Subfolders and Files", which can only be given through the "Full Control" group under Windows NT. |
Well, that table is probably a bit overwhelming at first glance, but it's not all that confusing if you consider it carefully. Under Windows NT, applying the permission group gives the users the permission types indicated by the checkmarks. Note that the checkmarks apply only to the object type specified. Of particular note, "Add & Read" grants the write permission to the folder, but not to the files contained within the folder. Also, the "No Access" group is a "trump card" of sorts; it will override other permission settings. See the discussions of permission settings and inheritance for more on how permission conflicts are addressed.
Under the more advanced Windows 2000 scheme, there are 13 different permission components, which are collected into six different standard groups, as the table below illustrates:
Permission Components (Windows 2000 and Windows NT 4.0 SCM) |
Standard Permission Groups (Windows 2000 and Windows NT 4.0 SCM) |
|||||
Read |
Write |
List Folder Contents |
Read and Execute |
Modify |
Full Control |
|
Traverse Folder / |
|
|
|
|
||
List Folder / |
|
|
|
|
|
|
Read Attributes |
|
|
|
|
|
|
Read Extended Attributes |
|
|
|
|
|
|
Create Files / |
|
|
|
|||
Create Folders / |
|
|
|
|||
Write Attributes |
|
|
|
|||
Write Extended Attributes |
|
|
|
|||
Delete Subfolders and Files |
|
|||||
Delete |
|
|
||||
Read Permissions |
|
|
|
|
|
|
Change Permissions |
|
|||||
Take Ownership |
|
|||||
Notes: "List Folder
Contents" and "Read and Execute" have the same permission components, which
is a bit confusing. The differences between them have to do with how NTFS handles
inheritance of these permissions. "List Folder Contents" is only used for
folders and is not inherited by files within the folder. "Read and Execute"
applies to folders and files and is inherited by both. Also, the oddball, 14th permission
component, "Synchronize", is a member of all of the groups above.
You may notice, in looking at this table, that the "No Access" group is missing under the Windows 2000 scheme. In Windows NT, all permission groups except "No Access" provide "positive access"--saying, in effect, "you are allowed" to do something. "No Access" is the only one that says "you are not allowed" to do something. Unfortunately, it is very broad; it really says "you cannot do anything". This inflexibility was corrected under Windows 2000 by giving users the ability to allow or disallow any permission group or individual permission. Under this setup, "No Access" simply isn't required. See the discussion of permission assignment for more information on this.
Next: Ownership and Permission Assignment
| The PC Guide
(http://www.PCGuide.com) Site Version: 2.2.0 - Version Date: April 17, 2001 © Copyright 1997-2004 Charles M. Kozierok. All Rights Reserved. |
Not responsible for any loss resulting from the use of this site. Please read the Site Guide before using this material. |