Permissions and security descriptors
Every container and object on the network has a set of access control information attached to it. Known as a security descriptor, this information controls the type of access allowed to users and groups. The security descriptor is automatically created along with the container or object that is created. A typical example of an object with a security descriptor is a file.
Permissions are defined within an object's security descriptor. Permissions are associated with, or assigned to, specific users and groups. For example, for the file Temp.dat, the built-in Administrators group might be assigned Read, Write, and Delete permissions, while the Backup Operators group might be assigned Read and Write permissions only.
Each assignment of permissions to a user or group is represented in the system as an access control entry (ACE). The entire set of permission entries in a security descriptor is known as a permission set or access control list (ACL). Thus, for a file named Temp.dat, the permission set includes two permission entries, one for the built-in Administrators group and one for the Backup Operators group.
Explicit vs. inherited permissions
There are two types of permissions: explicit permissions and inherited permissions.
Explicit permissions are those that are set by default on non-child objects when the object is created, or by user action on non-child, parent, or child objects.
Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.
By default, objects within a container inherit the permissions from that container when the objects are created. For example, when you create a folder called MyFolder, all subfolders and files created within MyFolder automatically inherit the permissions from that folder. Therefore, MyFolder has explicit permissions, while all subfolders and files within it have inherited permissions.
Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.