In order for one to have read access to a confidential attribute, both of the following conditions must be true: (1) permissions must be held that grant read access to the that attribute and (2) CONTROL_ACCESS permission must be present against that attribute for the entity accessing it. A side note to the original article mentions that Full Control Permissions will grant CONTROL_ACCESS as well.
Now I'm trying to delegate the right to read a specific confidential attribute using the "Delegate Control" wizard. I can easily adapt the delegwiz.inf so that it contains a new template with a "@=GA" for the attribute I'm after, in effect granting Full Control (which will in turn grant CONTROL_ACCESS). However I'd like not to grant change permissions to that attribute as well, only read (in terms of final, effective permissions). How is it possible to grant the CONTROL_ACCESS permission through a template in delegwiz.inf ? I've found here that CA should be "Control Access" I'm after, but when I use this, the template is invalidated and it's no longer visible in the "Delegate Control" wizard.
I've though about the "Reset Password" right that appears throught delegwiz.inf, and thought the CONTROL_ACCESS is a similar right, however it's nowhere to be found in thelist of rights.