Low-level access-control provides a set of functions for creating a security descriptor and getting and setting the components of a security descriptor. The low-level functions for initializing and setting the components of a security descriptor work only with absolute-format security descriptors. The low-level functions for getting the components of a security descriptor work with both absolute and self-relative security descriptors.
The InitializeSecurityDescriptor function initializes a SECURITY_DESCRIPTOR buffer. The initialized security descriptor is in absolute format and has no owner, primary group, discretionary access-control list (DACL), or system access-control list (SACL). You can use the following low-level functions to get or set specific components of a specified security descriptor.
Function | Description |
---|---|
GetSecurityDescriptorControl | Retrieves revision and control information from a security descriptor. |
GetSecurityDescriptorDacl | Gets the DACL from a security descriptor. |
GetSecurityDescriptorGroup | Retrieves the primary group security identifier (SID) from a security descriptor. |
GetSecurityDescriptorLength | Returns the length of a security descriptor. |
GetSecurityDescriptorOwner | Retrieves the owner SID from a security descriptor. |
GetSecurityDescriptorSacl | Gets the SACL from a security descriptor. |
SetSecurityDescriptorDacl | Puts a DACL into a security descriptor, superseding any existing DACL. |
SetSecurityDescriptorGroup | Sets the primary group SID of a security descriptor. |
SetSecurityDescriptorOwner | Sets the owner SID of a security descriptor. |
SetSecurityDescriptorSacl | Puts a SACL into a security descriptor, superseding any existing SACL. |
To check the revision level and structural integrity of a security descriptor, call the IsValidSecurityDescriptor function.