Glossary

Attribute Type

Description

ACE

Access Control Entry. An entry in an ACL that contains: a SID that specifies a particular user or group; an access mask that specifies access rights; a set of bit flags that determine whether or not child objects can inherit the ACE; a flag that indicates the type of ACE.

ACL

Access Control List. List of access permissions that apply to an object. The list identifies users and groups that are allowed access and what operations are allowed to be performed.

B-tree

Tree data structure that keeps data sorted and allows searches, insertions, and deletions in logarithmic amortized time. It is most commonly used in databases and file systems.

B+ tree

Tree data structure with sorted data records, each of which is identified by a key. It is a dynamic, multilevel index, with maximum and minimum bounds on the number of keys in each index segment (usually called a 'block' or 'node'). In a B+ tree, in contrast to a B-tree, all records are stored at the lowest level of the tree; only keys are stored in interior blocks.

DACL

Discretionary Access Control List. Part of the Security Descriptor that controls access to an object and contains ACEs that specify what access is permitted. The object's owner passes permission (directly or indirectly) through this descriptor.

Hash

Potentially non-unique shorthand representation of a descriptor.

LUID

Locally Unique Identifier. 64-bit value guaranteed to be unique only on the system on which it was generated (while system remains running).

POSIX

Portable Operating System Interface. Family of related standards to define the API (Application Programming Interface) for software compatible with variants of the Unix operating system.

SACL

System Access Control List. Part of the Security Descriptor that controls how access is audited. It contains ACEs that specify how access to the object (by permitted accounts) should be recorded in the audit log.

SAM

Security Accounts Manager. Secure database of user accounts stored in the Windows registry.

$SDH index

Index attribute in the $Secure file. Lets NTFS quickly determine whether a security descriptor that is being applied to a file or directory is already stored in the $Secure file and whether it can be shared.

$SDS Data Stream

Security Descriptor Stream. Named data stream that contains a list of all the Security Descriptors on a volume.

$Secure

Metadata file that operates as a central file system security database for NTFS permissions.

Security Descriptor

Part of the SDS Data Stream that contains security information about an object.

Security ID

File system object identifier ($STANDARD_INFORMATION field) used as key in $SII index and $SDS data stream in $Secure file.

SID

Security Identifier. Unique value of variable length that is used to identify a security principal or security group.

$SII index

Security ID Index. Index attribute in the $Secure file that contains a calculated Hash and a corresponding $SDS Offset. The $SII index lets NTFS quickly look up a security descriptor in the $Secure file while performing security checks.

Previous | NTFS Permissions