| Platform SDK: Access Control |
Each user and group SID in an access token has a set of attributes that control how the system uses the SID in an access check. The following table lists the attributes that control access checking.
| Attribute | Description |
|---|---|
| SE_GROUP_ENABLED | A SID with this attribute is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied ACEs that apply to one of the enabled SIDs in the access token.
A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set. |
| SE_GROUP_USE_FOR_DENY_ONLY | Windows 2000: A SID with this attribute is a deny-only SID. When the system performs an access check, it checks for access-denied ACEs that apply to the SID, but ignores access-allowed ACEs for the SID.
If this attribute is set, the SE_GROUP_ENABLED attribute is not set, and the SID cannot be re-enabled. |
To set or clear the SE_GROUP_ENABLED attribute of a group SID, use the AdjustTokenGroups function. You cannot disable a group SID that has the SE_GROUP_MANDATORY attribute. You cannot use AdjustTokenGroups to disable the user SID of an access token.
To determine whether a SID is enabled in a token, that is, whether it has the SE_GROUP_ENABLED attribute, call the CheckTokenMembership function.
To set the SE_GROUP_USE_FOR_DENY_ONLY attribute of a SID, include the SID in the list of deny-only SIDs that you specify when you call the CreateRestrictedToken function. CreateRestrictedToken can apply the SE_GROUP_USE_FOR_DENY_ONLY attribute to any SID, including the user SID and group SIDs that have the SE_GROUP_MANDATORY attribute. However, you cannot remove the deny-only attribute from a SID; nor can you use AdjustTokenGroups to set the SE_GROUP_ENABLED attribute on a deny-only SID.
To get the attributes of a SID, call the GetTokenInformation function with the TokenGroups value. The function returns an array of SID_AND_ATTRIBUTES structures that identify the group SIDs and their attributes.