Permissions (or "privileges") determine what actions a user account is allowed to perform on a computer system. It often refers to file system permissions, which specify which user accounts on a system have ownership of, and access to, specific files and folders. The term may also refer to the ability of a user account to perform specific tasks in a database or database-driven application.
Multi-user operating systems like Windows, Unix, Linux, and macOS use file systems with built-in permissions systems. Each user has a user account, which includes several user folders they control. They may also be part of a group with other users with a similar role. Each file and folder on the file system uses an access control list (ACL) that specifies which accounts and groups can access and modify it.
In addition to standard user accounts, these systems also include special accounts with "root," "administrator," or "superuser" permissions that offer full control over all files and folders on that system. However, a program with root permissions could modify or damage system files or other programs. Instead, programs can run in special accounts, known as "system accounts" or "system user accounts," that offer limited permissions to restrict a program's access to only what it needs.
Each file and folder includes distinct permissions levels for its owner, other members of the owner's group, and all other users on the system. Permissions applied to a folder are inherited by its files and subfolders.
Unix, Linux, and macOS permissions give accounts access to three operations:
- Read lets an account view the contents of files and folders.
- Write allows an account to create and modify files and subfolders.
- Execute lets the account run programs within a folder.
The permissions system in Windows has a similar set of operations:
- Read lets an account view the contents of a file or folder.
- Write allows the account to create and modify files and subfolders.
- Read & Execute lets a user view files and run programs without modifying files.
- Modify allows them to create, modify or delete files and subfolders.
- Full Control lets an account do everything, including changing the permissions granted to other user accounts.