Access Rights for Access-Token Objects

An application cannot change the access control list of an object unless the application has the rights to do so. These rights are controlled by a security descriptor in the access token for the object. For more information about security, see Access Control Model.

To get or set the security descriptor for an access token, call the GetKernelObjectSecurity and SetKernelObjectSecurity functions.

When you call the OpenProcessToken or OpenThreadToken function to get a handle to an access token, the system checks the requested access rights against the DACL in the token's security descriptor.

The following are valid access rights for access-token objects:

  • The DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Access tokens do not support the SYNCHRONIZE standard access right.

  • The ACCESS_SYSTEM_SECURITY right to get or set the SACL in the object's security descriptor.

  • The specific access rights for access tokens, which are listed in the following table.

    Value Meaning
    TOKEN_ADJUST_DEFAULT Required to change the default owner, primary group, or DACL of an access token.
    TOKEN_ADJUST_GROUPS Required to adjust the attributes of the groups in an access token.
    TOKEN_ADJUST_PRIVILEGES Required to enable or disable the privileges in an access token.
    TOKEN_ADJUST_SESSIONID Required to adjust the session ID of an access token. The SE_TCB_NAME privilege is required.
    TOKEN_ASSIGN_PRIMARY Required to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task.
    TOKEN_DUPLICATE Required to duplicate an access token.
    TOKEN_EXECUTE Same as STANDARD_RIGHTS_EXECUTE.
    TOKEN_IMPERSONATE Required to attach an impersonation access token to a process.
    TOKEN_QUERY Required to query an access token.
    TOKEN_QUERY_SOURCE Required to query the source of an access token.
    TOKEN_READ Combines STANDARD_RIGHTS_READ and TOKEN_QUERY.
    TOKEN_WRITE Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT.
    TOKEN_ALL_ACCESS Combines all possible access rights for a token.