Permission Precedence

Because of the fact that users have can have many different rights settings and objects can have many different permission settings, it is possible that conflicting permission settings might apply to a particular object and access method.

When this occurs, the system must engage in a process of resolving the various permissions to determine which ones should govern the access.

Here are some rules for resolving permissions conflicts:

  1. "Deny" permissions generally take precedence over "allow" permissions.
  2. Permissions applied directly to an object (explicit permissions) take precedence over permissions inherited from a parent (for example from a group).
  3. Permissions inherited from near relatives take precedence over permissions inherited from distant predecessors. So permissions inherited from the object's parent folder take precedence over permissions inherited from the object's "grandparent" folder, and so on.
  4. Permissions from different user groups that are at the same level (in terms of being directly-set or inherited, and in terms of being "deny" or "allow") are cumulative. So if a user is a member of two groups, one of which has an "allow" permission of "Read" and the other has an "allow" of "Write", the user will have both read and write permission--depending on the other rules above, of course.

Although Deny permissions generally take precedence over allow permissions, this is not always the case. An explicit "allow" permission can take precedence over an inherited "deny" permission.

The hierarchy of precedence for the permissions can be summarized as follows, with the higher precedence permissions listed at the top of the list:

  • Explicit Deny
  • Explicit Allow
  • Inherited Deny
  • Inherited Allow

Also true:
File permissions override folder permissions, unless the Full Control permission has been granted to the folder.

Previous | NTFS Permissions | Next