Skip to main content

How security descriptors are used to apply file and folder security

Contributors netapp-thomi netapp-ahibbard

Security descriptors contain the access control lists that determine what actions a user can perform on files and folders, and what is audited when a user accesses files and folders.

  • Permissions

    Permissions are allowed or denied by an object's owner and determine what actions an object (users, groups, or computer objects) can perform on specified files or folders.

  • Security descriptors

    Security descriptors are data structures that contain security information that define permissions associated with a file or folder.

  • Access control lists (ACLs)

    Access control lists are the lists contained within a security descriptor that contain information on what actions users, groups, or computer objects can perform on the file or folder to which the security descriptor is applied. The security descriptor can contain the following two types of ACLs:

    • Discretionary access control lists (DACLs)

    • System access control lists (SACLs)

  • Discretionary access control lists (DACLs)

    DACLs contain the list of SIDS for the users, groups, and computer objects who are allowed or denied access to perform actions on files or folders. DACLs contain zero or more access control entries (ACEs).

  • System access control lists (SACLs)

    SACLs contain the list of SIDS for the users, groups, and computer objects for which successful or failed auditing events are logged. SACLs contain zero or more access control entries (ACEs).

  • Access Control Entries (ACEs)

    ACEs are individual entries in either DACLs or SACLs:

    • A DACL access control entry specifies the access rights that are allowed or denied for particular users, groups, or computer objects.

    • A SACL access control entry specifies the success or failure events to log when auditing specified actions performed by particular users, groups, or computer objects.

  • Permission inheritance

    Permission inheritance describes how permissions defined in security descriptors are propagated to an object from a parent object. Only inheritable permissions are inherited by child objects. When setting permissions on the parent object, you can decide whether folders, sub-folders, and files can inherit them with “Apply to this-folder, sub-folders, and files”.