Just as Windows NT uses security descriptors to control access to securable objects, a server can use security descriptors to control access to its private objects. For more information about the Windows NT security model, see Access Control Model.
A protected server can create a security descriptor with a DACL that specifies the types of access allowed for various trustees. In a simple case, the server could create a single security descriptor to control access to all of the server's data and functionality. For a finer granularity of protection, the server could create security descriptors for each of its private objects, or for different types of functionality.
For example, when a client asks the server to create a new object in a database, the server could create a security descriptor for the new private object. The server could then store the security descriptor with the private object in the database. When a client tries to access the object, the server retrieves the security descriptor to check the client's access rights. It is important to note that there is nothing in a security descriptor that associates it with the object or functionality it is protecting. Instead, it is up to the protected server to maintain the association.