FileSystemRights - Permissionst mask

Calculation of the NTFS Permissionset mask

Microsoft distinguishes between "basic permissions", such as full control, change, read, write, read and execute, view folder contents, special permissions, and "extended permissions", such as read files, execute files, read attributes, create folders and others

Each extended authorization has a value: Read data = 1, Create Files = 2, Append Data = 4, Read Extended Attribures = 8, ...

The basic authorizations are made up of several extended authorizations; their value is accordingly the sum of the individual authorizations. For example, the write right consists of “Create Files” (2), “Append Data” (4), Write Extended Attributes (16) and Write Attributes (256). The value for "Wrire" adds up to 278. With "Synchronize" (1048576) the value is 1048854.

The extended authorizations can be clicked together as required. If this creates a right that does not correspond to the basic rights, it is marked as “Special Authorization” under Windows.

Only the right “Synchronize” cannot be assigned manually by us. With Synchronize, the wait function on the file handle for asynchronous read and write processes is controlled and only set by the system.


Image: FileSystemRights - Calculation of the authorization ID from the individual authorizations.

MODIFY PLUS is one of the company GmbH specified name for a modify-like authorization. In this case, the “Delete” right is replaced by “Delete Subdirectories and Files”. With Modify Plus, the authorized person cannot rename, move or even delete the directory on which he explicitly has this Modify right.

Extended permissions

Image: When assigning authorizations under Windows, we find the individual authorizations specified for the FileSystemRights as "Extended Authorizations" up to position 19 ("Take Ownership"). Position 20 ("Synchronize") is only assigned by the system.

Authorization includes further parameters:

The AccessControlType determines whether the specified rights are allowed or not allowed. The values ​​"Allow" or "Deny" are displayed. The values ​​are alternative.

The PropagationFlag indicates where the right applies. Here are three possible values:

  • only in its folder Propagation_4,
  • in the subfolders Propagation_2 and
  • related to files Propagation_1.

These three values ​​can be combined as desired. By default, all three values ​​are set, ie the right applies in this folder, in the subfolders and in the files: Propagation_7.

In the case of list groups, only the first value is set, ie the list right, it corresponds to read & execute, only applies to the folder on which it was explicitly assigned. It does not apply to the subfolders and not to the files: Propagation_4.


Permanent link to this post:

Leave a Comment

Your email address will not be published.