The access control model enables you to control the ability of a process to access securable objects or to perform various system administration tasks.


Access Control Components


There are two basic components of the access control model:

* Access tokens, which contain information about a logged-on user

* Security descriptors, which contain the security information that protects a securable object

When a user logs on, the system authenticates the user's account name and password. If the logon is successful, the system creates an access token. Every process executed on behalf of this user will have a copy of this access token. The access token contains security identifiers that identify the user's account and any group accounts to which the user belongs. The token also contains a list of the privileges held by the user or the user's groups. The system uses this token to identify the associated user when a process tries to access a securable object or perform a system administration task that requires privileges.

When a securable object is created, the system assigns it a security descriptor that contains security information specified by its creator, or default security information if none is specified. Applications can use functions to retrieve and set the security information for an existing object.