Access Control
Access Control |
|
The header for an ACE contains a set of inheritance flags that control how the ACE is inherited and how the ACE affects a child object that inherits it. Table 12.11 lists the inheritance flags.
Table 12.11 Inheritance Flags
| Flag | Meaning |
|---|---|
| INHERITED_ACE | Windows 2000: The ACE was inherited from a parent object's DACL or SACL.
This flag is not set in an explicit ACE—an ACE defined directly on the object. |
| INHERIT_ONLY_ACE | Indicates that this is an inherit-only ACE. The ACE is ignored during an access check but can be propagated to child objects.
If this flag is not set, the ACE is an effective ACE—an ACE that is processed during an access check. Both effective and inherit-only ACEs can be inherited. Whether an ACE is inherited depends on the state of the flags for OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE. |
| CONTAINER_INHERIT_ACE | Container objects inherit this ACE as an effective ACE. When the ACE is inherited by a container object, the operating system clears the flag for INHERIT_ONLY_ACE. |
| OBJECT_INHERIT_ACE | Non-container objects inherit this ACE as an effective ACE. When the ACE is inherited by a non-container object, the operating system clears the flag for INHERIT_ONLY_ACE.
Container objects also inherit this ACE but only for the purpose of inheritance. When the ACE is inherited by a container object, the operating system sets the flag for INHERIT_ONLY_ACE. |
| NO_PROPAGATE_INHERIT_ACE | If a child object inherits an ACE where this flag is set, the operating system clears the flags for OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE. This prevents the ACE from being inherited by subsequent generations of objects. |