Platform SDK: Access Control

SECURITY_DESCRIPTOR_CONTROL

The SECURITY_DESCRIPTOR_CONTROL type is a set of bit flags that qualify the meaning of a security descriptor or its components. Each security descriptor has a Control member that stores the SECURITY_DESCRIPTOR_CONTROL bits.

typedef WORD SECURITY_DESCRIPTOR_CONTROL; 

Remarks

To get the control bits of a security descriptor, call the GetSecurityDescriptorControl function. To set the control bits of a security descriptor, use the Win32 functions for modifying security descriptors. These functions are listed in the See Also section.

Starting with Windows 2000, applications can use the SetSecurityDescriptorControl function to set the control bits that relate to automatic inheritance of ACEs.

The control value retrieved by the GetSecurityDescriptorControl function can include a combination of the following SECURITY_DESCRIPTOR_CONTROL bit flags:

Value Meaning
SE_DACL_AUTO_INHERITED Windows 2000: Indicates a security descriptor in which the DACL is set up to support automatic propagation of inheritable ACEs to existing child objects.

The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. Protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function to convert a security descriptor and set this flag.

This bit is not set in security descriptors for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs.

SE_DACL_DEFAULTED Indicates a security descriptor with a default DACL. For example, if an object's creator does not specify a DACL, the object receives the default DACL from the creator's access token. This flag can affect how the system treats the DACL, with respect to ACE inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set.

To set this flag, use the SetSecurityDescriptorDacl function.

SE_DACL_PRESENT Indicates a security descriptor that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the security descriptor allows full access to everyone.

To set this flag, use SetSecurityDescriptorDacl.

SE_DACL_PROTECTED Windows 2000: Prevents the DACL of the security descriptor from being modified by inheritable ACEs. To set this flag, use the SetSecurityDescriptorControl function.
SE_GROUP_DEFAULTED A default mechanism, rather than the the original provider of the security descriptor, provided the security descriptor's group SID. To set this flag, use the SetSecurityDescriptorGroup function.
SE_OWNER_DEFAULTED A default mechanism, rather than the the original provider of the security descriptor, provided the security descriptor's owner security identifier (SID). To set this flag, use the SetSecurityDescriptorOwner function.
SE_SACL_AUTO_INHERITED Windows 2000: Indicates a security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects.

The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. Protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function to convert a security descriptor and set this flag.

This bit is not set in security descriptors for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs.

SE_SACL_DEFAULTED A default mechanism, rather than the the original provider of the security descriptor, provided the SACL. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set. To set this flag, use the SetSecurityDescriptorSacl function.
SE_SACL_PRESENT Indicates a security descriptor that has a SACL. To set this flag, use the SetSecurityDescriptorSacl function.
SE_SACL_PROTECTED Windows 2000: Prevents the SACL of the security descriptor from being modified by inheritable ACEs. To set this flag, use the SetSecurityDescriptorControl function.
SE_SELF_RELATIVE Indicates a security descriptor in self-relative format with all the security information in a contiguous block of memory. If this flag is not set, the security descriptor is in absolute format. For more information, see Absolute and Self-Relative Security Descriptors.

Requirements

  Windows NT/2000: Requires Windows NT 3.1 or later.
  Header: Declared in Winnt.h; include Windows.h.

See Also

Low-Level Access-Control Overview, Low-Level Access Control Structures, ConvertToAutoInheritPrivateObjectSecurity, GetSecurityDescriptorControl, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorOwner, GetSecurityDescriptorSacl, SetSecurityDescriptorControl, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorSacl