The Extended Permissions are computed in bits. Extended permissions are stored in the r_accessor_xpermit attribute. The value of this attribute is an integer that has been converted from a 4-byte binary number to a decimal number.
- The first 16 bits (two bytes) represent the basic permissions for backward compatibility.
- The first 16 bits uses 0 to indicate that the permission is on
- The second 16 bits (two bytes) uses 1 to indicate that the permission is on
- The bit locations of the permissions are
_execute_proc = 1,
_change_location = 2,
_change_state = 17,
_change_permit = 18,
_change_owner = 19
Example:
If you issue this query:
SELECT r_object_id, object_name, r_accessor_name, r_accessor_xpermit FROM dm_acl
In r_accessor_xpermit, you may find a large number (i.e 458752) . This number is a decimal number if you change it to binary you will get the following:
0000 0000 0000 0111 0000 0000 0000 0000
which means that you give CHANGE_STATE, CHANGE_PERMIT, and CHANGE_OWNER (since bits 17,18, and 19 are 1 )extended permission to a user or group and
since bits 1 and 2 are 0 they are also on, so you also gave execute_proc and change_location.
458752 means Change State + Change Permit + Change Ownership + Execute Procedure + Change Location
0000 0000 0000 0111 0000 0000 0000 0000
0 means Execute Procedure + Change Location
0000 0000 0000 0000 0000 0000 0000 0000
1 means Change Location
0000 0000 0000 0000 0000 0000 0000 0001
2 means Execute Procedure
0000 0000 0000 0000 0000 0000 0000 0010
3 means None
0000 0000 0000 0000 0000 0000 0000 0011
65536 means Change State + Execute Procedure + Change Location
0000 0000 0000 0001 0000 0000 0000 0000
65539 means Change State
0000 0000 0000 0001 0000 0000 0000 0011