Platform SDK: Access Control

ACCESS_ALLOWED_OBJECT_ACE

The ACCESS_ALLOWED_OBJECT_ACE structure defines an access-control entry (ACE). The ACE can control access to an object, or to a subobject of an object, such as a property set or property. The ACE contains a set of access rights, a GUID that identifies the type of object or subobject, and a SID that identifies the trustee to whom the system will grant access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects.

typedef struct _ACCESS_ALLOWED_OBJECT_ACE {
  ACE_HEADER Header;
  ACCESS_MASK Mask;
  DWORD Flags;
  GUID ObjectType;
  GUID InheritedObjectType;
  DWORD SidStart;
} ACCESS_ALLOWED_OBJECT_ACE, *PACCESS_ALLOWED_OBJECT_ACE;

Members

Header
An ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by child objects.
Mask
An ACCESS_MASK that specifies the access rights the system will allow to the trustee.
Flags
A set of bit flags that indicate whether the ObjectType and InheritedObjectType members are present. This parameter can be one or more of the following values.
Value Meaning
0 Neither ObjectType nor InheritedObjectType are present. The SidStart member follows immediately after the Flags member.
ACE_OBJECT_TYPE_PRESENT ObjectType is present and contains a GUID.

If this value is not specified, the InheritedObjectType member follows immediately after the Flags member.

ACE_INHERITED_OBJECT_TYPE_PRESENT InheritedObjectType is present and contains a GUID.

If this value is not specified, all types of child objects can inherit the ACE.


ObjectType
This member exists only if the ACE_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, the InheritedObjectType member follows immediately after the Flags member.

If this member exists, it is a GUID structure that identifies a property set, property, extended right, or type of child object. The purpose of this GUID depends on the access rights specified in the Mask member.
Access rights Meaning
ADS_RIGHT_DS_CONTROL_ACCESS The ObjectType GUID identifies an extended access right. For more information, see Extended Rights.
ADS_RIGHT_DS_CREATE_CHILD The ObjectType GUID identifies a type of child object. The ACE controls the trustee's right to create this type of child object.
ADS_RIGHT_DS_READ_PROP The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to read the property or property set.
ADS_RIGHT_DS_WRITE_PROP The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to write the property or property set.

InheritedObjectType
This member exists only if the ACE_INHERITED_OBJECT_TYPE_PRESENT bit is set in the Flags member.

If this member exists, it is a GUID structure that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects.

The offset of this member can vary. If the Flags member does not contain the ACE_OBJECT_TYPE_PRESENT flag, the InheritedObjectType member starts at the offset specified by the ObjectType member.

SidStart
Specifies the first DWORD of a SID that identifies the trustee to whom the access rights are granted.

The offset of this member can vary. If the Flags member is zero, the SidStart member starts at the offset specified by the ObjectType member. If Flags contains only one flag (either ACE_OBJECT_TYPE_PRESENT or ACE_INHERITED_OBJECT_TYPE_PRESENT), the SidStart member starts at the offset specified by the InheritedObjectType member.

Remarks

If neither the ObjectType nor InheritedObjectType GUID is specified, the ACCESS_ALLOWED_OBJECT_ACE structure has the same semantics as those used by the ACCESS_ALLOWED_ACE structure. In that case, use the ACCESS_ALLOWED_ACE structure because it is smaller and more efficient.

An ACL that contains an ACCESS_ALLOWED_OBJECT_ACE must specify the ACL_REVISION_DS revision number in its ACL header.

Requirements

  Windows NT/2000: Requires Windows 2000.
  Header: Declared in Winnt.h; include Windows.h.

See Also

Low-Level Access-Control Overview, Low-Level Access Control Structures, ACCESS_ALLOWED_ACE, ACCESS_DENIED_OBJECT_ACE, ACCESS_MASK, ACE_HEADER, ACL, AddAccessAllowedObjectAce, GUID, SID, SYSTEM_AUDIT_OBJECT_ACE