Access Control |
The operating system interprets the inheritance flags and other inheritance information according to the rules of ACE inheritance outlined in Table 12.12. These rules function the same for both DACLs and SACLs. When the operating system propagates inheritable ACEs to child objects, it observes the preferred (or canonical) order. After ACEs have been propagated, the system sets the INHERITED_ACE flag in all inherited ACEs.
Table 12.12 Rules of Inheritance
Parent ACE Inheritance Flags | Effect on Child ACL |
---|---|
No flags | None. |
OBJECT_INHERIT_ACE only | Noncontainer child objects: Inherited as an effective ACE.
Container child objects: Containers inherit an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE flag is also set. |
CONTAINER_INHERIT_ACE only | Noncontainer child objects: No effect on the child object.
Container child objects: The child object inherits an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE flag is also set. |
CONTAINER_INHERIT_ACE and OBJECT_INHERIT_ACE | Noncontainer child objects: Inherited as an effective ACE.
Container child objects: The child object inherits an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE flag is also set. |
If an inherited ACE is an effective ACE for the child object, the system maps any generic rights to the specific rights for the child object. Similarly, the system maps generic SIDs, such as CREATOR_OWNER, to the appropriate SID. If an inherited ACE is an inherit-only ACE, any generic rights or generic SIDs are left unchanged so that they can be mapped appropriately when the ACE is inherited by the next generation of child objects.
When a container object inherits an ACE that is both effective on the container and inheritable by its descendants, the container might inherit two ACEs. This occurs if the inheritable ACE contains generic information. The container inherits an inherit-only ACE containing the generic information, and an effective ACE in which the generic information is mapped.
An object-specific ACE has an Inherited Object Type field that can contain a GUID to identify the type of object that can inherit the ACE. If the field does not contain a GUID, the inheritance rules are the same as for a standard ACE. If the field contains a GUID, the ACE is inheritable by objects that match the GUID if OBJECT_INHERIT_ACE is set, and by containers that match the GUID if CONTAINER_INHERIT_ACE is set.