An access token is a data structure that holds security information for a process to access protected objects or processes. It contains security identifiers, user privileges, and identifies its type. The token is verified by a security reference monitor before granting access to objects or processes.
In computer operating systems and other software frameworks, an access token is any data structure that contains security information needed by a process to access a protected object or another process that requires authorization. Protected objects are usually data in the file system with defined read and write privileges, and a process is any other program or service that requires permission to access its functions. While an access token is simply a container that can hold any information, it is usually used to store user privileges.
The concept of an access token was conceived and used primarily by Microsoft® operating systems and programs, but their usefulness has led them elsewhere. The Application Programming Interface (API) for Google describes a method for using access tokens when programming applications that need to access data associated with a Google user’s account. Some of the big social networking platforms also use access tokens in their API.
Basically, when a user logs into an operating system or software system framework, the system verifies the user and password against a security database, and an access token is created that identifies the user to any object or process on the system . All processes, such as applications, programs or services, started by the user will carry the access token with them. The access token, therefore, must store several bits of data that another program or object verifies to grant access.
Access tokens contain security identifiers (SIDs), usually numeric codes, for the user, any user groups to which the user belongs, and the current logon session. The token also contains a list of all privileges granted to the user or groups. There are a couple of different types of access tokens, so the token also needs to identify its type, primary or impersonation. A primary access token is the standard type used, but an impersonation token can also be created to act on behalf of the user.
When an access token is called to do its job, it encounters a security reference monitor (SRM), a service that monitors access to objects and processes in the system. The SRM retrieves the security descriptor of the object or process for comparison with the access token. The security descriptor contains an access control list (ACL), where each access control entry (ACE) defines certain permissions for that object or process. For example, in the case of a file on the system, the security descriptor contains information about which users or groups have permission to read or write to the file. If the access token requesting access to open or modify the file does not match the permissions in the security descriptor, the access fails and the user is denied access to the file.
Protect your devices with Threat Protection by NordVPN
