Basics of NTFS Permissions

Introduction to NTFS permissions, their components, and how Docusnap365 interprets them.

  2 minute read  

Introduction

NTFS permissions form the security-relevant foundation for accessing files and folders on Windows-based systems. Docusnap365 analyzes and interprets these structures with the goal of providing a complete and comprehensible view of all access rights — both from a technical and organizational perspective.

What are NTFS ACLs, SIDs, and Principals?

  • ACL (Access Control List): A list of entries that defines which user or group (principal) has which rights to an object.
  • SID (Security Identifier): A unique ID used by Windows to identify each user, group, and computer account — independently of the display name.
  • Principal: A security-relevant object such as a user, group, service account, or computer. In the analysis, the principal is at the center of each permission assignment.

Each ACL entry (Access Control Entry, ACE) combines a principal with a defined set of permissions (e.g., read, write, full control).

Inheritance vs. Explicit Permissions

In NTFS, there are two types of permission assignments:

  • Explicit permissions: These are set directly on a folder or file. They apply only there — unless inheritance is enabled.
  • Inherited permissions: Rights that are automatically inherited from parent folders. They simplify management but can be overridden or interrupted.

Docusnap365 clearly distinguishes these types of rights — both in the detail view and when calculating effective permissions.

Share vs. NTFS vs. Effective Rights

  • Share permissions: Apply when accessing resources via network shares (e.g., \\server\share). They act as an additional access layer and can limit — but never extend — NTFS rights.
  • NTFS permissions: Apply directly on the file system (locally or over the network). They are more detailed and allow granular assignment of rights.
  • Effective permissions: The actual effective rights of a user result from a combination of:
    • Share permissions
    • NTFS permissions (explicit and inherited)
    • Group memberships (including nested groups)
    • Possibly disabled inheritance

Docusnap365 calculates and visualizes effective rights by considering all these influencing factors — both at the folder level and user-specific.