First page Back Continue Last page Overview Graphics
Windows ACL Evaluation
If the owner SID is in the process token, mask off the WRITE_DAC and READ_CONTROL access bits in the desired access (owner always has these rights)
Walk the ACL entry list in order :
- If the SID in this entry is not in the process token, ignore it.
- If the SID in this entry is in the process token, and the entry is a DENY, and any desired access bits are in the entry access bits, return failure.
- If the SID in this entry is in the process token, and the entry is a ALLOW, mask off any bits in the desired access that exist in the entry access bits.
Return success if desired access is zero, else failure.