Weak current College】 【Windows XP permission setting of the four basic principles --- Power By】 【China power house network.

In WindowsXP, for permission management has four basic principles, namely: the denial of the principles, rights over allows minimization, summation principle and the principles of permission inheritance. The four basic principles for permission settings, will play a very important role here to find out:
1. rejects the principle of superior to allow
"Denial is superior to allow" principle is a very important and basic principles, it can be very perfectly handled by a user in the user group permissions of belonging "disputes", for example, "shyzhong" this user is neither belong to the "shyzhongs" user group, also belongs to the "xhxs" user group, when we "xhxs" group a "written resources" permission set is assigned (i.e. user group), this time the Group's "shyzhong" accounts will automatically have the "write" permissions.
But amazingly, "shyzhong" account obviously have on the resources of "write" permissions, why has actually made? original cannot be performed, in "shyzhongs" Group also on "shyzhong" user has permissions for the resource, the set of permissions is set to "deny write." Based on "denial is superior to allow" principle, "shyzhong" in "shyzhongs" group is the "write" permission denied will take precedence over "xhxs" group is given in the "write" permissions allowed are executed. Therefore, in reality as, "shyzhong" user cannot write to the resource "for".
2. the principle of least privilege
WindowsXP would "maintain minimum permissions to users" as a basic principle for implementation, it is necessary. This principle ensures that resources are the greatest security. This principle can make users cannot access or unnecessary access resources effective permissions given limits.
Based on this principle, in the actual permission granted for, they must be expressly conferred for resources to allow or deny for the permission. For example, the system creates a new, restricted user "shyzhong" default on "DOC" directory does not have any permissions, the user is now required to give the "DOC" directory with the permissions of the "read", then it must be in the "DOC" directory permissions list to add the "shyzhong" user "read" permission.
3. permission inheritance principles
Permissions inheritance principles can make resource permissions easier. Suppose now has a "DOC" directory, this directory has the "DOC02 DOC01," "," "DOC03" subdirectory, you now need to DOC directory and its subdirectories are set under "shyzhong" user permissions "write". Because of the inheritance principle, so just to "DOC" directory "shyzhong" user permissions "write", its all subdirectories automatically inherit the permissions settings.
4. summation principle
This principle is better understood, suppose now "zhong" users belong to the "A" user group, also belongs to the "B" groups that A user group permissions is "read", "B" permissions in the user group is the "write", according to the principle that the "cumulative" zhong the actual permissions the user will be "read + write".
It is clear that "denial is superior to allow" principle is used to resolve the permissions set on the conflict; the "rights to minimize" principle is used to protect resources safe; "permission inheritance" principle is used for "automated" execute permissions settings; and the principle of the "cumulative" is let permissions set more flexible. Several principles differ, the lack of which would give the permission set a lot of trouble!
Note: in WindowsXP, "Administrators" group of all the members have achieved "owner" of the power (TakeOwnership), that is a member of the Administrators group can be from other users in the hands of the "win" the power of their identity, such as a limited user "shyzhong" created a DOC directory, and only given itself the power to have read seem to be thoughtful permission settings, in fact, the "Administrators" group of all members will be able to pass ownership of the "win" method to obtain this permission.