Platform SDK: Access Control |
When you open a handle to an object, the returned handle has some combination of access rights to the object. Some functions, such as CreateSemaphore, do not require you to specify a set of requested access rights; they always try to open the handle for full access. Other functions, such as CreateFile and OpenProcess, allow you to specify the set of access rights that you want. You should request only the access rights that you need, rather than opening a handle for full access. This prevents you from using the handle in a way that you didn't intend, and also increases the chances that your access request will succeed if the object's DACL only allows you limited access.
You can use generic access rights to specify the type of access you need when you are opening a handle to an object. This is typically simpler than specifying all the corresponding standard and specific rights. Alternatively, you can use the MAXIMUM_ALLOWED constant to request that the object be opened with all the access rights that are valid for the caller. Note that you cannot use the MAXIMUM_ALLOWED constant in an ACE.
To get or set the SACL in an object's security descriptor, you must request the ACCESS_SYSTEM_SECURITY access right when you open a handle to the object.