Platform SDK: Access Control |
The SetPrivateObjectSecurityEx function modifies the security descriptor of a private object. SetPrivateObjectSecurityEx has a flags parameter that allows you to specify whether the protected server supports automatic inheritance of ACEs.
BOOL SetPrivateObjectSecurityEx ( SECURITY_INFORMATION SecurityInformation, // type PSECURITY_DESCRIPTOR ModificationDescriptor, // new SD PSECURITY_DESCRIPTOR *SecurityDescriptor, // SD ULONG AutoInheritFlags, // inheritance option PGENERIC_MAPPING GenericMapping, // mapping HANDLE Token // handle to client token );
On input, this is the current security descriptor of the private object. The function modifies it to produce the new security descriptor. If necessary, the SetPrivateObjectSecurityEx function allocates additional memory to produce a larger security descriptor.
Value | Meaning |
---|---|
SEF_DACL_AUTO_INHERIT | If this flag is set, the DACL is treated as an auto-inherit DACL and is processed as described in the following Remarks section. This bit is ignored if DACL_SECURITY_INFORMATION is not set in the SecurityInformation parameter. |
SEF_SACL_AUTO_INHERIT | If this flag is set, the SACL is treated as an auto-inherit SACL and is processed as described in the following Remarks section. This bit is ignored if SACL_SECURITY_INFORMATION is not set in the SecurityInformation parameter. |
SEF_AVOID_PRIVILEGE_CHECK | If this flag is set, the Token parameter can be NULL, and the token is not checked to determine if the ModificationDescriptor is valid. This flag is useful while implementing automatic inheritance to avoid checking privileges on each child updated. |
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
If the AutoInheritFlags parameter is zero, SetPrivateObjectSecurityEx is identical to the SetPrivateObjectSecurity function.
The SetPrivateObjectSecurityEx function is successful only if the following conditions are met:
The process calling this function must not be impersonating a client.
If AutoInheritFlags specifies the SEF_DACL_AUTO_INHERIT bit, the function applies the following rules to the DACL to create the new security descriptor from the current descriptor
An ACL editor should "gray" inherited ACEs to prevent them from being modified.
Ideally an ACL editor should turn off the INHERITED_ACE bits indicating to its caller that the ACEs inherited from the object's parent are now being explicitly set on the object.
If AutoInheritFlags specifies the SEF_SACL_AUTO_INHERIT bit, the function applies similar rules to the new SACL.
Windows NT/2000: Requires Windows 2000.
Header: Declared in Winbase.h; include Windows.h.
Library: Use Advapi32.lib.
Client/Server Access Control Overview, Client/Server Access Control Functions, CreatePrivateObjectSecurityEx, DestroyPrivateObjectSecurity, GENERIC_MAPPING, GetPrivateObjectSecurity, SECURITY_DESCRIPTOR, SECURITY_INFORMATION, SetFileSecurity, SetKernelObjectSecurity, SetUserObjectSecurity