Platform SDK: Access Control

EXPLICIT_ACCESS

The EXPLICIT_ACCESS structure specifies access-control information for a specified trustee. Access control functions, such as SetEntriesInAcl and GetExplicitEntriesFromAcl, use this structure to describe the information in an access-control entry (ACE) of an access-control list (ACL).

typedef struct _EXPLICIT_ACCESS {
  DWORD        grfAccessPermissions;
  ACCESS_MODE  grfAccessMode;
  DWORD        grfInheritance;
  TRUSTEE      Trustee;
} EXPLICIT_ACCESS, *PEXPLICIT_ACCESS;

Members

grfAccessPermissions
A set of bit flags that use the ACCESS_MASK format to specify the access rights that an ACE allows, denies, or audits for the trustee. The functions that use the EXPLICIT_ACCESS structure do not convert, interpret, or validate the bits in this mask.
grfAccessMode
Specifies a value from the ACCESS_MODE enumeration. For a discretionary ACL (DACL), this flag indicates whether the ACL allows or denies the specified access rights. For a system ACL (SACL), this flag indicates whether the ACL generates audit messages for successful attempts to use the specified access rights, or failed attempts, or both. When modifying an existing ACL, you can specify the REVOKE_ACCESS flag to remove any existing ACEs for the specified trustee.
grfInheritance
A set of bit flags that determines whether other containers or objects can inherit the ACE from the primary object to which the ACL is attached. The value of this member corresponds to the inheritance portion (low-order byte) of the AceFlags member of the ACE_HEADER structure. This parameter can be NO_INHERITANCE to indicate that the ACE is not inheritable; or it can be a combination of the following values.
Value Meaning
CONTAINER_INHERIT_ACE Other containers that are contained by the primary object inherit the ACE.
INHERIT_ONLY_ACE The ACE does not apply to the primary object to which the ACL is attached, but objects contained by the primary object inherit the ACE.
NO_PROPAGATE_INHERIT_ACE The OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags are not propagated to an inherited ACE.
OBJECT_INHERIT_ACE Noncontainer objects contained by the primary object inherit the ACE.
SUB_CONTAINERS_AND_OBJECTS_INHERIT Both containers and noncontainer objects that are contained by the primary object inherit the ACE. This flag corresponds to the combination of the CONTAINER_INHERIT_ACE and OBJECT_INHERIT_ACE flags.
SUB_CONTAINERS_ONLY_INHERIT Other containers that are contained by the primary object inherit the ACE. This flag corresponds to the CONTAINER_INHERIT_ACE flag.
SUB_OBJECTS_ONLY_INHERIT Noncontainer objects contained by the primary object inherit the ACE. This flag corresponds to the OBJECT_INHERIT_ACE flag.

Trustee
A TRUSTEE structure that identifies the user, group, or program (such as a Win32 service) to which the ACE applies.

Requirements

  Windows NT/2000: Requires Windows NT 4.0 or later.
  Header: Declared in Accctrl.h.
  Unicode: Declared as Unicode and ANSI structures.

See Also

Access Control Overview, Access Control Structures, ACCESS_MODE, ACE, ACE_HEADER, ACL, BuildExplicitAccessWithName, BuildSecurityDescriptor, GetExplicitEntriesFromAcl, LookupSecurityDescriptorParts, SetEntriesInAcl, TRUSTEE