Platform SDK: Active Directory, ADSI, and Directory Services

Access Control

Privileges to access directory service resources are usually granted through the use of access control entries (ACEs). An ACE defines an access or audit permission on an object for a specific user or group. An access-control list (ACL) is the ordered collection of ACEs defined for an object. A security descriptor supports properties and methods that create and manage ACLs. For more information on security models, see the "Windows Base Services" section of the Microsoft Platform SDK or Microsoft Windows 2000 Resource Kit.

ADSI clients call this interface: To perform this action:
IADsAccessControlEntry Read and write ACE properties.
IADsAccessControlList Manage and enumerate all ACEs on a directory service object.
IADsSecurityDescriptor Read and write security properties of a directory service object.

The following figure shows the traditional finance department example: the owner of a confidential document has the complete set of permissions for accessing it. The temporary help has no access to the document object. The other members of the finance department have read-only access.

The preceding figure shows that a property or attribute called "ntSecurityDescriptor" has been created for a generic directory service object. As this is a generic object that does not support the IADs interface, the ADsPath property has also been created for this object and its value is "LDAP://o=ms/ou=printers/cn=FancyExpensiveColorPrinter". The value of the property for "ntSecurityDescriptor" is a pointer to an interface on a security descriptor object that, among other properties, has a property named "DiscretionaryACL". This property contains a pointer to an interface on an AccessControlList object that supplies a method to create an enumerator object that in turn allows you to list the individual AccessControlEntry objects defined on the original document object.

Most security checking algorithms have rules about the ordering of different types of ACEs. Since ADSI packs the ACEs in the order specified by the client to be sent to the directory service and preserves the order when loading them from the directory service, the ordering is preserved.