Access Control |
A security descriptor's header contains a set of control flags that qualify the meaning of the security descriptor or its components. In Windows 2000, control flags play an important role in the automatic propagation of inheritable security information from parent (that is, container) objects to child (that is, contained) objects.
Security descriptor control flags are stored in a bit field and are turned on or off by setting individual bits. Table 12.5 lists the security descriptor control flags.
Table 12.5 Security Descriptor Control Flags
Flag | Meaning |
---|---|
SE_DACL_AUTO_INHERITED | Windows 2000: Inheritable ACEs in this object's DACL have been propagated to existing child objects.
This flag is not set in security descriptors for Windows NT, which does not support automatic propagation of inheritable ACEs. |
SE_DACL_DEFAULTED | The DACL was provided by a default mechanism.
This flag can affect how the operating system treats the DACL with respect to inheritance. The operating system ignores this flag if SE_DACL_PRESENT is not set. |
SE_DACL_PRESENT | The security descriptor has a DACL.
Windows 2000: If this flag is not set (that is, if the security descriptor has no DACL), SE_DACL_PROTECTEDmust be set. Otherwise, the operating system considers the security descriptor invalid. |
SE_DACL_PROTECTED | Windows 2000: The security descriptor's DACL cannot be modified by inheritable ACEs.
If this flag is not set, the security descriptor inherits information from the security descriptor on the parent object. |
SE_GROUP_DEFAULTED | The primary group SID was provided by a default mechanism. |
SE_OWNER_DEFAULTED | The owner SID was provided by a default mechanism. |
SE_SACL_AUTO_INHERITED | Windows 2000: Inheritable ACE's in this object's SACL have been propagated to existing child objects.
This flag is not set in security descriptors for Windows NT, which does not support automatic propagation of inheritable ACEs. |
SE_SACL_DEFAULTED | The SACL was provided by a default mechanism.
This flag can affect how the operating system treats the SACL with respect to inheritance. The operating system ignores this flag if SE_SACL_PRESENT is not set. |
SE_SACL_PRESENT | The security descriptor has a SACL. |
SE_SACL_PROTECTED | Windows 2000: The security descriptor's SACL cannot be modified by inheritable ACEs. |
SE_SELF_RELATIVE | The security descriptor is in self-relative format with all information in a contiguous block of memory. If this flag is not set, the security descriptor is in absolute format. |