Skip to main content
NetApp Knowledge Base

What are NTFS access mask flags with corresponding user permissions?

  1. Last updated
  2. Save as PDF
Views:
3,370
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9 and later
  • Windows
  • SMB/CIFS
  • NTFS volume

Answer

  • An ACCESS_MASK is a 32-bit set of flags that are used to encode the user rights to an object.
  • An access mask is used both to encode the rights to an object assigned to a principal and to encode the requested access when opening an object.
  • Below are the most commonly used access masks:

    • For Read permission, use 0x1200A9. This corresponds to the following flags:
      FILE_READ_DATA (file) or FILE_LIST_DIRECTORY (directory)
      1 (0x1)
      FILE_READ_EA
      8 (0x8)
      FILE_EXECUTE (file) or FILE_TRAVERSE (directory)
      32 (0x20)
      FILE_READ_ATTRIBUTES
      128 (0x80)
      READ_CONTROL
      131072 (0x20000)
      SYNCHRONIZE
      1048576 (0x100000)

    • For Change permission, use 0x1301BF. This corresponds to the following additional flags:
      FILE_WRITE_DATA (file) or FILE_ADD_FILE (directory)
      2 (0x2)
      FILE_APPEND_DATA (file) or FILE_ADD_SUBDIRECTORY (directory)
      4 (0x4)
      FILE_WRITE_EA
      16 (0x10)
      FILEget_ATTRIBUTES
      256 (0x100)
      DELETE
      65536 (0x10000)

    • For Full Control permission, use 0x1F01FF. This corresponds to the following additional flags:
      FILE_DELETE_CHILD
      64 (0x40)
      WRITE_DAC
      262144 (0x40000)
      WRITE_OWNER
      524288 (0x80000)

  • Below is the access mask bitmap table for files:
Value Description

GR

GENERIC_READ

0x80000000L

When used in an Access Request operation: When read access to an object is requested, this bit is translated to a combination of bits. These are most often set in the lower 16 bits of the ACCESS_MASK. (Individual protocol specifications MAY specify a different configuration.) The bits that are set are implementation dependent. During this translation, the GR bit is cleared. The resulting ACCESS_MASK bits are the actual permissions that are checked against the ACE structures in the security descriptor that attached to the object.

When used to set the Security Descriptor on an object: When the GR bit is set in an ACE that is to be attached to an object, it istranslated into a combination of bits, which are usually set in the lower 16 bits of the ACCESS_MASK. (Individual protocol specifications MAY specify a different configuration.) The bits that are set are implementation dependent. During this translation, the GR bit is cleared. The resulting ACCESS_MASK bits are the actual permissions that are granted by this ACE.

GW

GENERIC_WRITE

0x4000000L

When used in an Access Request operation: When write access to an object is requested, this bit is translated to a combination of bits, which are usually set in the lower 16 bits of the ACCESS_MASK. (Individual protocol specifications MAY specify a different configuration.) The bits that are set are implementation dependent. During this translation,
the GW bit is cleared. The resulting ACCESS_MASK bits are the actual permissions that are checked against the ACE structures in the security descriptor that attached to the object.
When used to set the Security Descriptor on an object: When the GW bit is set in an ACE that is to be attached to an object, it is translated into a combination of bits, which are usually set in the lower 16 bits of the ACCESS_MASK. (Individual protocol specifications MAY specify a different configuration.) The bits that are set are implementation dependent. During this translation, the GW bit is cleared. The resulting ACCESS_MASK bits are the actual permissions that are granted by this ACE.

GX

GENERIC_EXECUTE

0x20000000L

When used in an Access Request operation: When execute access to an object is requested, this bit is translated to a combination of bits, which are usually set in the lower 16 bits of the ACCESS_MASK. (Individual protocol specifications MAY specify a different configuration.) The bits that are set are implementation dependent. During this translation, the GX bit is cleared. The resulting ACCESS_MASK bits are the actual permissions that are checked against the ACE structures in the security descriptor that attached to the object.

When used to set the Security Descriptor on an object: When the GX bit is set in an ACE that is to be attached to an object, it is translated into a combination of bits, which are usually set in the lower 16 bits of the ACCESS_MASK. (Individual protocol specifications MAY specify a different configuration.) The bits that are set are implementation dependent. During this translation, the GX bit is cleared. The resulting ACCESS_MASK bits are the actual permissions that are granted by this ACE.

GA

GENERIC_ALL

0x10000000L

When used in an Access Request operation: When all access permissions to an object are requested, this bit is translated to a combination of bits, which are usually set in the lower 16 bits of the ACCESS_MASK. (Individual protocol specifications MAY specify a different configuration.) Objects are free to include bits from the upper 16 bits in that translation as required by the objects semantics. The bits that are set are implementation dependent. During this translation, the GA bit is cleared. The resulting ACCESS_MASK bits are the actual permissions that are checked against the ACE structures in the security descriptor that attached to the object.

When used to set the Security Descriptor on an object: When the GA bit is set in an ACE that is to be attached to an object, it is translated into a combination of bits, which are usually set in the lower 16 bits of the ACCESS_MASK. (Individual protocol specifications MAY specify a different configuration.) Objects are free to include bits from the upper 16 bits in that translation, if required by the objects semantics. The bits that are set are implementation dependent. During this translation, the GA bit is cleared. The resulting ACCESS_MASK bits are the actual permissions that are granted by this ACE.

MA

MAXIMUM_ALLOWED

0x02000000L

When used in an Access Request operation: When requested, this bit grants the requestor the maximum permissions allowed to the object through the Access Check Algorithm. This bit can only be requested; it cannot be set in an ACE.

When used to set the Security Descriptor on an object: Specifying the Maximum Allowed bit in the SECURITY_DESCRIPTOR has no meaning. The MA bit SHOULD NOT be set and SHOULD be ignored when part of a SECURITY_DESCRIPTOR structure.

AS

ACCESS_SYSTEM_SECURITY

0x01000000L

When used in an Access Request operation: When requested, this bit grants the requestor the right to change the SACL of an object. This bit MUST NOT be set in an ACE that is part of a DACL. When set in an ACE that is part of a SACL, this bit controls auditing of accesses to the SACL itself.

SY

SYNCHRONIZE

0x00100000L

Specifies access to the object sufficient to synchronize or wait on the object.

WO

WRITE_OWNER

0x00080000L

Specifies access to change the owner of the object as listed in the security descriptor.

WD

WRITE_DACL

0x00040000L

Specifies access to change the discretionary access control list of the security descriptor of an object.

RC

READ_CONTROL

0x00020000L

 Specifies access to read the security descriptor of an object.

DE

DELETE

0x00010000L

Specifies access to delete an object.

 
  • Below is the access mask bitmap for directories:
Value Description

FILE_LIST_DIRECTORY

0x00000001

This value indicates the right to enumerate the contents of the directory.

FILE_ADD_FILE

0x00000002

This value indicates the right to create a file under the directory.

FILE_ADD_SUBDIRECTORY

0x00000004

This value indicates the right to add a sub-directory under the directory.

FILE_READ_EA

0x00000008

This value indicates the right to read the extended attributes of the directory.

FILE_WRITE_EA

0x00000010

This value indicates the right to write or change the extended attributes of the directory.

FILE_TRAVERSE

0x00000020

This value indicates the right to traverse this directory if the underlying object store enforces traversal checking.

FILE_DELETE_CHILD

0x00000040

This value indicates the right to delete the files and directories within this directory.

FILE_READ_ATTRIBUTES

0x00000080

This value indicates the right to read the attributes of the directory.

FILE_WRITE_ATTRIBUTES

0x00000100

This value indicates the right to change the attributes of the directory.

DELETE

0x00010000

This value indicates the right to delete the directory.

READ_CONTROL

0x00020000

This value indicates the right to read the security descriptor for the directory.

WRITE_DAC

0x00040000

This value indicates the right to change the DACL in the security descriptor for the directory. For the DACL data structure, see ACL in [MS-DTYP] section 2.4.5.

WRITE_OWNER

0x00080000

This value indicates the right to change the owner in the security descriptor for the directory.

SYNCHRONIZE

0x00100000

This flag MUST be ignored by both clients and servers.

ACCESS_SYSTEM_SECURITY

0x01000000

This value indicates the right to read or change the SACL in the security descriptor for the directory. For the SACL data structure, see ACL in [MS-DTYP] section 2.4.5.

MAXIMUM_ALLOWED

0x02000000

This value indicates that the client is requesting an open to the directory with the highest level of access that the client has on this directory. If no access is granted for the client on this directory, then the server MUST fail the open with STATUS_ACCESS_DENIED.

GENERIC_ALL

0x10000000

This value indicates a request for all of the access flags that are listed above, except MAXIMUM_ALLOWED and ACCESS_SYSTEM_SECURITY.

GENERIC_EXECUTE

0x20000000

This value indicates a request for the following access flags listed above: FILE_READ_ATTRIBUTES, FILE_TRAVERSE, SYNCHRONIZE, and READ_CONTROL.

GENERIC_WRITE

0x40000000

This value indicates a request for the following access flags listed above: FILE_ADD_FILE, FILE_ADD_SUBDIRECTORY, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, SYNCHRONIZE, and READ_CONTROL.

GENERIC_READ

0x80000000

This value indicates a request for the following access flags listed above: FILE_LIST_DIRECTORY, FILE_READ_ATTRIBUTES, FILE_READ_EA, SYNCHRONIZE, and READ_CONTROL.

Additional Information

For more details on Access_mask, please check below Microsoft documents:

NTFS access mask flags shows on vserver security file-directory show command output.

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.