JSI Tip 0425 - When I query the ACL of an object with CACLS, what does the (OI), (IO), (CI), and (NP) mean?

CACLS is an command for querying and change the permissions of directories and files.

If you use CACLS to query the ACLs (Access Control Lists) of a directory, it displays the permissions of the directory. If you use a wild card, it displays the permissions of the included directories and files.

CACLS displays directory permissions for each user or group as two entries. The first entry lists the file (inherited) permissions and the second lists the directory permissions. The letters in parentheses represent the inheritance flags:

File Permissions:

  OI = MSG_CACLS_OBJECT_INHERIT

    This ACE (Access Control Entry) is inherited by noncontainer objects, such as files created
    within the container object to which the ACE is assigned.

  IO = MSG_CACLS_INHERIT_ONLY

    This ACE does not apply to the container object, but to objects contained by it.
    Normally both references are displayed.

Directory Permissions:

  CI = MSG_CACLS_CONTAINER_INHERIT

    This ACE is inherited by container objects, such as directories.

  NP = MSG_CACLS_NO_PROPAGATE_INHERIT

    Displayed when a permission is not to be inherited. The MSG_CACLS_OBJECT_INHERIT
    and MSG_CACLS_CONTAINER_INHERIT bits are not propagated to an inherited ACE.

A directory's ACL will normally contain at least two ACEs. If CACLS output only contains one ACE, then permissions for the other ACE have not been specified.