Denying Access
You can deny all access to an object by adding an empty discretionary
access-control list (DACL) to the object's security descriptor. An empty DACL has no
access-control entries (ACEs), which means that the DACL does not grant access to
anyone. Note that this is different from a security descriptor that has no
DACL; in that case, the system grants everyone full access to the object. You can
also prevent a specified trustee from gaining access to an object by using a
DACL that has one or more access-denied ACEs.
This topic includes examples that use the high-level access-control functions
that are new for Windows NT version 4.0. For an example that uses the older
low-level access control functions, see
Denying Access Using Low-Level Functions.
The high-level examples use the
SetEntriesInAcl function to create an ACL. Then they use the
SetNamedSecurityInfo function to attach the ACL as the DACL of an object. Note that these examples
can work with a variety of named securable objects, such as files, registry
keys, and synchronization objects.
The first example shows how to add an empty DACL to an object's security
descriptor. The effect is to deny all access to the object.
DWORD SetEmptyDACL(LPTSTR lpObjectName, SE_OBJECT_TYPE ObjectType)
{
DWORD dwRes;
PACL pDacl;
if (NULL == lpObjectName)
return ERROR_INVALID_PARAMETER;
// create an ACL with no ACEs
dwRes = SetEntriesInAcl(0, NULL, NULL, &pDacl);
if (ERROR_SUCCESS != dwRes)
return dwRes;
// attach the emtpy ACL as the object's DACL
dwRes = SetNamedSecurityInfo(lpObjectName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, pDacl, NULL);
// free the buffer returned by SetEntriesInAcl
LocalFree(pDacl);
return dwRes;
}
You can modify this example to deny access to a specified trustee. The
following variation uses the
BuildExplicitAccessWithName function to initialize an
EXPLICIT_ACCESS structure with the data for an access-denied ACE. Then it uses the
SetEntriesInAcl and
SetNamedSecurityInfo functions to create the ACL and attach it to the object.
#include <aclapi.h>
DWORD dwRes;
PACL pDacl;
EXPLICIT_ACCESS ea;
// initialize an EXPLICIT_ACCESS structure to deny access
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
BuildExplicitAccessWithName(&ea,
"ludwig", // name of trustee
GENERIC_ALL, // type of access
DENY_ACCESS, // access mode
NO_INHERITANCE); // inheritance mode
// create an ACL with one access-denied ACE
dwRes = SetEntriesInAcl(1, &ea, NULL, &pDacl);
if (ERROR_SUCCESS != dwRes)
return dwRes;
// attach the ACL as the object's DACL
dwRes = SetNamedSecurityInfo(TEXT("myfile"), SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION,
NULL, NULL, pDacl, NULL);
// free the buffer returned by SetEntriesInAcl
LocalFree(pDacl);
- Software for developers
-
Delphi Components
.Net Components
Software for Android Developers
- More information resources
-
MegaDetailed.Net
Unix Manual Pages
Delphi Examples
- Databases for Amazon shops developers
-
Amazon Categories Database
Browse Nodes Database
