Platform SDK: Access Control

Creating or Modifying an ACL

Windows NT versions 4.0 and later support a set of functions for creating an access-control list (ACL) or for modifying the access-control entries (ACEs) in an existing ACL.

The SetEntriesInAcl function creates a new ACL. SetEntriesInAcl can specify a completely new set of ACEs for the ACL, or it can merge one or more new ACEs with the ACEs of an existing ACL. SetEntriesInAcl uses an array of EXPLICIT_ACCESS structures to specify the information for the new ACEs. Each EXPLICIT_ACCESS structure contains information that describes a single ACE. This information includes the access rights, the type of ACE, the flags that control ACE inheritance, and a TRUSTEE structure that identifies the trustee.

To add a new ACE to an existing ACL

  1. Use the GetSecurityInfo or GetNamedSecurityInfo function to get the existing DACL or SACL from an object's security descriptor.
  2. For each new ACE, call the BuildExplicitAccessWithName function to fill an EXPLICIT_ACCESS structure with the information that describes the ACE.
  3. Call SetEntriesInAcl, specifying the existing ACL and an array of EXPLICIT_ACCESS structures for the new ACEs. SetEntriesInAcl allocates and initializes the ACL and its ACEs.
  4. Call the SetSecurityInfo or SetNamedSecurityInfo function to attach the new ACL to the object's security descriptor.

If the caller specifies an existing ACL, SetEntriesInAcl merges the new ACE information with the existing ACEs in the ACL. Consider the case, for example, in which the existing ACL grants access to a specified trustee and an EXPLICIT_ACCESS structure denies access to the same trustee. In this case, SetEntriesInAcl adds a new access-denied ACE for the trustee and deletes or modifies the existing access-allowed ACE for the trustee.

For sample code that merges a new ACE into an existing ACL, see Modifying an Object's ACLs.