Some controls identify the permissions that are set on a Windows file or folder for different user groups and individual users. To save space, the compliance module assigns each permission a letter (A,B,C,D,...) and uses the letter instead of the full permission name.
When specifying the default expected value for a control in the Policy Editor or when creating a custom File/Directory Permission control, you must use the mapping described below. In your reports the service provides a legend that translates these values to the permissions they represent.
This table maps each letter to the permission it represents.
value |
permission |
A |
Write Attributes |
B |
Read Attributes |
C |
Delete Child (This is a hidden permission that is set when groups or users have Full Control permission on a directory.) |
D |
Traverse folder / Execute file |
E |
Write extended |
F |
Read extended |
G |
Create Folders / Append Data |
H |
Create Files / Write Data |
I |
List Folder / Read Data |
J |
Delete |
K |
Change Permissions |
L |
Take Ownership |
M |
Read Permissions |
N |
Synchronize (This is a hidden permission that is set when groups or users have Full Control permission.) |
NTFS permissions are often granted using security templates, which are logical groupings of permissions. The following table describes the security templates applicable to files and folders, and how the list of permissions for these templates will appear in your policy compliance reports.
template |
appears as |
Full Control |
A:B:C:D:E:F:G:H:I:J:K:L:M:N |
Read |
B:F:I:M |
Write |
A:E:G:H |
List Folder Contents / Read & Execute |
B:D:F:I:M |
Modify |
A:B:D:E:F:G:H:I:J:M |
The folder "Security" has the following permissions set:
The Administrators group has Full Control permission.
The SYSTEM group has Full Control permission.
The Power Users group has Modify permission.
User named Robert has Read permission.
These permissions translate to:
Administrators:A:B:C:D:E:F:G:H:I:J:K:L:M:N
SYSTEM:A:B:C:D:E:F:G:H:I:J:K:L:M:N
Power Users:A:B:D:E:F:G:H:I:J:M
Robert:B:F:I:M
A permission translation table is provided for each file/directory permission control included in your compliance reports. The translation table appears below the Expected Value and Actual Value fields in the Detailed Results section of the report, and maps each letter that appears in the Actual Value field with the permission it represents. See sample report output below.
Expected Value |
Actual Value |
contains regular expression list Administrators:A:B:C:D:E:F:G:H:I:J:K:L:M:N |
Robert:B:F:I:M Power Users:A:B:D:E:F:G:H:I:J:M Administrators A:B:C:D:E:F:G:H:I:J:K:L:M:N SYSTEM:A:B:C:D:E:F:G:H:I:J:K:L:M:N |
Permission Translation |
||
A : Write |
B : Read |
C : Delete child |
D : Traverse folder/Execute file |
E : Write extended attributes |
F : Read extended attributes |
G : Create folder/Append data |
H : Create file/Write data |
I : List folder/Read data |
J : Delete |
K : Change permissions |
L : Take ownership |
M : Read permissions |
N : Synchronize |
|