| Platform SDK: DLLs, Processes, and Threads |
Windows NT/Windows 2000 security enables you to control access to job objects. For more information about security, see Access-Control Model.
You can specify a security descriptor for a job object when you call the CreateJobObject function. To get or set the security descriptor for a job object, call the GetNamedSecurityInfo, SetNamedSecurityInfo, GetSecurityInfo, or SetSecurityInfo function.
The handle returned by CreateJobObject has JOB_OBJECT_ALL_ACCESS access to the job object. When you call the OpenJobObject function, the system checks the requested access rights against the object's security descriptor.
The valid access rights for job objects include the DELETE, READ_CONTROL, SYNCHRONIZE, WRITE_DAC, and WRITE_OWNER standard access rights, in addition to the following job-specific access rights.
| Value | Meaning |
|---|---|
| JOB_OBJECT_ASSIGN_PROCESS | Required to call the AssignProcessToJobObject function to assign processes to the job object. |
| JOB_OBJECT_SET_ATTRIBUTES | Required to call the SetInformationJobObject function to set the attributes of the job object. |
| JOB_OBJECT_QUERY | Required to call the QueryInformationJobObject function to query job object attributes and accounting information. |
| JOB_OBJECT_TERMINATE | Required to call the TerminateJobObject function to terminate all processes in the job object. |
| JOB_OBJECT_SET_SECURITY_ATTRIBUTES | Required to call the SetInformationJobObject function with the JobObjectSecurityLimitInformation information class to set security limitations on the processes associated with the job object. |
| JOB_OBJECT_ALL_ACCESS | Combines all valid job object access rights. |
You can request the ACCESS_SYSTEM_SECURITY access right to a job object if you want to read or write the object's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.