Platform SDK: Access Control |
The ACCESS_ALLOWED_OBJECT_ACE structure defines an access-control entry (ACE). The ACE can control access to an object, or to a subobject of an object, such as a property set or property. The ACE contains a set of access rights, a GUID that identifies the type of object or subobject, and a SID that identifies the trustee to whom the system will grant access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects.
typedef struct _ACCESS_ALLOWED_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; DWORD Flags; GUID ObjectType; GUID InheritedObjectType; DWORD SidStart; } ACCESS_ALLOWED_OBJECT_ACE, *PACCESS_ALLOWED_OBJECT_ACE;
Value | Meaning |
---|---|
0 | Neither ObjectType nor InheritedObjectType are present. The SidStart member follows immediately after the Flags member. |
ACE_OBJECT_TYPE_PRESENT | ObjectType is present and contains a GUID.
If this value is not specified, the InheritedObjectType member follows immediately after the Flags member. |
ACE_INHERITED_OBJECT_TYPE_PRESENT | InheritedObjectType is present and contains a GUID.
If this value is not specified, all types of child objects can inherit the ACE. |
If this member exists, it is a GUID structure that identifies a property set, property, extended right, or type of child object. The purpose of this GUID depends on the access rights specified in the Mask member.
Access rights | Meaning |
---|---|
ADS_RIGHT_DS_CONTROL_ACCESS | The ObjectType GUID identifies an extended access right. For more information, see Extended Rights. |
ADS_RIGHT_DS_CREATE_CHILD | The ObjectType GUID identifies a type of child object. The ACE controls the trustee's right to create this type of child object. |
ADS_RIGHT_DS_READ_PROP | The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to read the property or property set. |
ADS_RIGHT_DS_WRITE_PROP | The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to write the property or property set. |
If this member exists, it is a GUID structure that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects.
The offset of this member can vary. If the Flags member does not contain the ACE_OBJECT_TYPE_PRESENT flag, the InheritedObjectType member starts at the offset specified by the ObjectType member.
The offset of this member can vary. If the Flags member is zero, the SidStart member starts at the offset specified by the ObjectType member. If Flags contains only one flag (either ACE_OBJECT_TYPE_PRESENT or ACE_INHERITED_OBJECT_TYPE_PRESENT), the SidStart member starts at the offset specified by the InheritedObjectType member.
If neither the ObjectType nor InheritedObjectType GUID is specified, the ACCESS_ALLOWED_OBJECT_ACE structure has the same semantics as those used by the ACCESS_ALLOWED_ACE structure. In that case, use the ACCESS_ALLOWED_ACE structure because it is smaller and more efficient.
An ACL that contains an ACCESS_ALLOWED_OBJECT_ACE must specify the ACL_REVISION_DS revision number in its ACL header.
Windows NT/2000: Requires Windows 2000.
Header: Declared in Winnt.h; include Windows.h.
Low-Level Access-Control Overview, Low-Level Access Control Structures, ACCESS_ALLOWED_ACE, ACCESS_DENIED_OBJECT_ACE, ACCESS_MASK, ACE_HEADER, ACL, AddAccessAllowedObjectAce, GUID, SID, SYSTEM_AUDIT_OBJECT_ACE