Security Descriptor Components - Win32 Programmer's Reference

Custom Search

Security Descriptor Components

A security descriptor is an opaque structure that consists of a SECURITY_DESCRIPTOR structure and its associated security information. The security information can include the following:

Security identifiers (SIDs) for the owner and primary group of an object.
A discretionary access-control list (DACL) that specifies the types of object access that the system grants to particular users or groups.
A system access-control list (SACL) that specifies the types of access attempts that generate audit records for the object.

Applications must not directly manipulate the contents of a security descriptor. The Win32 API provides functions for getting and setting the components of a security descriptor.

Windows NT version 4.0 introduces new functions for working with security descriptors: BuildSecurityDescriptor and LookupSecurityDescriptorParts.

The BuildSecurityDescriptor function allocates and initializes a new self-relative security descriptor. BuildSecurityDescriptor uses the EXPLICIT_ACCESS structure to specify information for the DACL and SACL; and it uses the TRUSTEE structure to specify the owner and primary group. BuildSecurityDescriptor can initialize the new security descriptor solely from the specified security information; or it can merge the specified security information with the information in an existing self-relative security descriptor.

The LookupSecurityDescriptorParts function retrieves information from an existing self-relative security descriptor. Like BuildSecurityDescriptor, the LookupSecurityDescriptorParts function uses the TRUSTEE and EXPLICIT_ACCESS structures. This makes it easy to call LookupSecurityDescriptorParts to extract security information from one security descriptor, and then call BuildSecurityDescriptor to use the extracted information in building another security descriptor.

The InitializeSecurityDescriptor function initializes an absolute-format security descriptor so that it has no owner, primary group, DACL, or SACL. You can then use other Win32 functions to set the components of the security descriptor.

Windows NT version 4.0 provides the GetSecurityInfo, SetSecurityInfo, GetNamedSecurityInfo, and SetNamedSecurityInfo functions to get and set the components of an object's security descriptor. In addition, you can use the following low-level functions to get or set specific components of a specified security descriptor. Note that the functions in this table that set a component work only with a security descriptor in absolute format.

Function	Description
GetSecurityDescriptorControl	Retrieves revision and control information from a security descriptor.
GetSecurityDescriptorDacl	Gets the discretionary ACL from a security descriptor.
GetSecurityDescriptorGroup	Retrieves the primary group security identifier (SID) from a security descriptor.
GetSecurityDescriptorLength	Returns the length of a security descriptor.
GetSecurityDescriptorOwner	Retrieves the owner SID from a security descriptor.
GetSecurityDescriptorSacl	Gets the system ACL from a security descriptor.
SetSecurityDescriptorDacl	Puts a discretionary ACL into a security descriptor, superseding any existing discretionary ACL.
SetSecurityDescriptorGroup	Sets the primary group SID of a security descriptor.
SetSecurityDescriptorOwner	Sets the owner SID of a security descriptor.
SetSecurityDescriptorSacl	Puts a system ACL into a security descriptor, superseding any existing system ACL.

To check the revision level and structural integrity of a security descriptor, call the IsValidSecurityDescriptor function.

Last news from Greatis Software

    Nostalgia .Net     .Net is powerful, but not all-powerful, so sometimes we need to use Win32 API for our .Net applications. It's simple enough with Platform Invoke if you have Win32 skill, but we do not always have time to dig the ancient documentation, declare the special types that are compatible with Win32, find the values of the Win32's constants and so on. Nostalgia .Net offers several simple-to-use classes, and components that will allow you to forget about the headache of Win32 and just use the power of Win32 in your application the same way as you use the native. Net classes. More »

Recommended software for developers

    Ultimate Pack     Component pack for Delphi and C++ Builder that contains runtime form designer, runtime object inspector, print suite and much more for the very special price. More »

    Form Designer .Net     Unique runtime form design solution that allows to edit any form in .Net WinForms application at runtime with full source codes for only 300 euro! More »

    Print Suite .Net     Print Suite .Net is a set of components for easy printing texts, images and grids from your WinForms applications. Full C# source codes are available More »

    Gradient Controls .Net     Gradient Controls .Net offers controls with gradient background feature. Labels, panels and so on... Full C# source codes are available More »

    Greatis iGrid     iGrid plots drawing grid right over your desktop, so you can use it everywhere, with any drawing application without any special plugins for different graphic editors. More »

All the contacts and projects

Dmitry Vasiliev (just.dmitry)

More Online Helps

Win32 Programmer's Reference
Win32 Multimedia Programmer's Reference
OLE Programmer's Reference
Microsoft Windows Pen API Programmer's Reference
Microsoft Windows Sockets 2 Reference
Microsoft Windows Telephony API (TAPI) Programmer's Reference
Unix Manual Pages

greatis just4fun network