[ The PC Guide | Systems and Components Reference Guide | Hard Disk Drives | Hard Disk Logical Structures and File Systems | New Technology File System (NTFS) | NTFS Security and Permissions ]

NTFS Permissions

Access control lists (ACLs) are used to manage which users and groups of users are allowed to access different files and folders (objects) within NTFS volumes. These ACLs contains entries that specify what rights each user or group has for the object in question. These access rights are called permissions.

When Windows NT was built, six different permission types were created for NTFS objects. The NT user interface was designed to allow these permissions to be associated with objects. Each permission type controls a different kind of access to an object, and each has an abbreviation letter. These permission types are sometimes called special permissions, to differentiate them from standard permission groups that are applied at a higher level.

In some cases, the meaning of a permission is the same for both files and directories (folders); in others, the meaning is different, depending on if the permission is applied to a folder or a file. This table shows the different NT permissions and how they apply to folders and files:

Permission Type

Abbreviation Letter

Permission Granted For Files

Permission Granted For Folders

Read

R

Read file contents

Read folder contents

Write

W

Change file contents

Change folder contents (create new files or subfolders)

Execute

X

Execute (run) a program file

Traverse subfolder structures of folder

Delete

D

Delete file

Delete directory

Change Permissions

P

Change file's permission settings

Change folder's permission settings

Take Ownership

O

Take file ownership

Take folder ownership

Note: There is also one other fundamental permission type: Delete Subfolders and Files. This permission, when applied to a parent folder, allows a user to delete files and subfolders within it, even if they do not have delete permission on those files and subfolders. Under Windows NT this permission type cannot be individually applied to folders. It is only available as part of the "Full Control" standard permission group.

Until Windows 2000 was released, these six basic permissions were the lowest level that an NTFS user could access. When Windows 2000 was introduced, the six permission types above were "broken down" into 13 different permission components, to allow for more "fine-tuned" control over different kinds of access. While some people believe this "breaking down" was part of Windows 2000, in fact, these 13 components have always been present in NTFS! Under Windows NT, they were just hidden under the six permission types above. The table below lists the different permission components and shows how they correlate to the six Windows NT permission types:

Permission Components (Windows 2000 and Windows NT 4.0 SCM)

Permission Types (Windows NT)

Read (R)

Write (W)

Execute (X)

Delete (D)

Change Permissions (P)

Take Ownership (O)

Traverse Folder /
Execute File

 

 

Yes

 

 

 

List Folder /
Read Data

Yes

 

 

 

 

 

Read Attributes

Yes

 

Yes

 

 

 

Read Extended Attributes

Yes

 

 

 

 

 

Create Files /
Write Data

 

Yes

 

 

 

 

Create Folders /
Append Data

 

Yes

 

 

 

 

Write Attributes

 

Yes

 

 

 

 

Write Extended Attributes

 

Yes

 

 

 

 

Delete Subfolders and Files

 

 

 

 

 

 

Delete

 

 

 

Yes

 

 

Read Permissions

Yes

Yes

Yes

 

 

 

Change Permissions

 

 

 

 

Yes

 

Take Ownership

 

 

 

 

 

Yes

A few notes about this table:

  • Some of the permission components are "combination" permissions; they are illustrated by having two different names, such as "Create Files / Write Data". For these, the first term explains how the permission works when it is applied to a folder, and the second describes its application to a file. As the first table on this page shows, this sort of "double meaning" has been present since the start, but the new names just make it more explicit.
  • Delete Subfolders and Files can now be applied as an individual permission to folders.
  • There is actually a 14th permission component, called Synchronize. This permission is used to control synchronization of access to file or folder handles for multithreaded applications. It is sort of a "different bird" from the other permissions, which is why I mostly ignore it. :^)

As you can see, Windows 2000 gives you much more "granularity" of control over individual permissions. The Read, Write and Execute permissions have been broken down into several components. Of course, it's pretty unusual for someone to really need control this fine over most objects. (For example, how often do you think you would want to give permission to someone to write data but not append data to a file? Not frequently.) In fact, even the six Windows NT "special permissions" are often more detail than is really necessary. For convenience, Windows provides several pre-defined standard permission groups to allow commonly-desired sets of permissions to be applied to files and folders quickly.

Tip: The finer permissions granularity introduced with Windows 2000 are also available to Windows NT 4.0 users who have installed Service Pack 4 or later, through the Security Configuration Manager (SCM).

Next: Standard Permission Groups

Home  -  Search  -  Topics  -  Up

The PC Guide (http://www.PCGuide.com)
Site Version: 2.2.0 - Version Date: April 17, 2001
© Copyright 1997-2004 Charles M. Kozierok. All Rights Reserved.

Not responsible for any loss resulting from the use of this site.
Please read the Site Guide before using this material.