Security Descriptor Components

A security descriptor is an opaque structure that consists of a SECURITY_DESCRIPTOR structure and its associated security information. The security information can include the following:

Security identifiers (SIDs) for the owner and primary group of an object.
A discretionary access-control list (DACL) that specifies the types of object access that the system grants to particular users or groups.
A system access-control list (SACL) that specifies the types of access attempts that generate audit records for the object.

Applications must not directly manipulate the contents of a security descriptor. The Win32 API provides functions for getting and setting the components of a security descriptor.

Windows NT version 4.0 introduces new functions for working with security descriptors: BuildSecurityDescriptor and LookupSecurityDescriptorParts.

The BuildSecurityDescriptor function allocates and initializes a new self-relative security descriptor. BuildSecurityDescriptor uses the EXPLICIT_ACCESS structure to specify information for the DACL and SACL; and it uses the TRUSTEE structure to specify the owner and primary group. BuildSecurityDescriptor can initialize the new security descriptor solely from the specified security information; or it can merge the specified security information with the information in an existing self-relative security descriptor.

The LookupSecurityDescriptorParts function retrieves information from an existing self-relative security descriptor. Like BuildSecurityDescriptor, the LookupSecurityDescriptorParts function uses the TRUSTEE and EXPLICIT_ACCESS structures. This makes it easy to call LookupSecurityDescriptorParts to extract security information from one security descriptor, and then call BuildSecurityDescriptor to use the extracted information in building another security descriptor.

The InitializeSecurityDescriptor function initializes an absolute-format security descriptor so that it has no owner, primary group, DACL, or SACL. You can then use other Win32 functions to set the components of the security descriptor.

Windows NT version 4.0 provides the GetSecurityInfo, SetSecurityInfo, GetNamedSecurityInfo, and SetNamedSecurityInfo functions to get and set the components of an object's security descriptor. In addition, you can use the following low-level functions to get or set specific components of a specified security descriptor. Note that the functions in this table that set a component work only with a security descriptor in absolute format.

Function	Description
GetSecurityDescriptorControl	Retrieves revision and control information from a security descriptor.
GetSecurityDescriptorDacl	Gets the discretionary ACL from a security descriptor.
GetSecurityDescriptorGroup	Retrieves the primary group security identifier (SID) from a security descriptor.
GetSecurityDescriptorLength	Returns the length of a security descriptor.
GetSecurityDescriptorOwner	Retrieves the owner SID from a security descriptor.
GetSecurityDescriptorSacl	Gets the system ACL from a security descriptor.
SetSecurityDescriptorDacl	Puts a discretionary ACL into a security descriptor, superseding any existing discretionary ACL.
SetSecurityDescriptorGroup	Sets the primary group SID of a security descriptor.
SetSecurityDescriptorOwner	Sets the owner SID of a security descriptor.
SetSecurityDescriptorSacl	Puts a system ACL into a security descriptor, superseding any existing system ACL.

To check the revision level and structural integrity of a security descriptor, call the IsValidSecurityDescriptor function.

Software for developers: Delphi Components
.Net Components
Software for Android Developers
More information resources: MegaDetailed.Net
Unix Manual Pages
Delphi Examples
Databases for Amazon shops developers: Amazon Categories Database
Browse Nodes Database