MSDN Home >  MSDN Library >  Security >  SDK Documentation >  Authorization >  Authorization Reference >  Authorization Structures
 
Platform SDK: Security

ACL

The ACL structure is the header of an access control list (ACL). A complete ACL consists of an ACL structure followed by an ordered list of zero or more access control entries (ACEs).

typedef struct _ACL {
  BYTE AclRevision;
  BYTE Sbz1;
  WORD AclSize;
  WORD AceCount;
  WORD Sbz2;
} ACL, *PACL;

Members

AclRevision
Specifies the revision level of the ACL. This value should be ACL_REVISION. All ACEs in an ACL must be at the same revision level.

Windows 2000: If the ACL contains an object-specific ACE, this value must be ACL_REVISION_DS.

Sbz1
Specifies a zero byte of padding that aligns the AclRevision member on a 16-bit boundary.
AclSize
Specifies the size, in bytes, of the ACL. This value includes both the ACL structure and all the ACEs.
AceCount
Specifies the number of ACEs stored in the ACL.
Sbz2
Specifies two zero-bytes of padding that align the ACL structure on a 32-bit boundary.

Remarks

An ACL includes a sequential list of zero or more ACEs. The individual ACEs in an ACL are numbered from 0 to n, where n+1 is the number of ACEs in the ACL. When editing an ACL, an application refers to an ACE within the ACL by the ACE's index.

There are two types of ACL: discretionary and system.

A discretionary ACL is controlled by the owner of an object or anyone granted WRITE_DAC access to the object. It specifies the access particular users and groups can have to an object. For example, the owner of a file can use a discretionary ACL to control which users and groups can and cannot have access to the file.

An object can also have system-level security information associated with it, in the form of a system ACL controlled by a system administrator. A system ACL allows the system administrator to audit any attempts to gain access to an object.

The following ACE structures are currently defined.

ACE structure Description
ACCESS_ALLOWED_ACE Grants specified rights to a user or group. This ACE is stored in a discretionary ACL.
ACCESS_DENIED_ACE Denies specified rights to a user or group. This ACE is stored in a discretionary ACL.
SYSTEM_AUDIT_ACE Specifies what types of access will cause system-level audits. This ACE is stored in a system ACL.


A fourth ACE structure, SYSTEM_ALARM_ACE, is not currently supported.

The ACL structure is to be treated as though it were opaque and applications are not to attempt to work with its members directly. To ensure that ACLs are semantically correct, applications can use the functions listed in the See Also section to create and manipulate ACLs.

Each ACL and ACE structure begins on a doubleword boundary.

Requirements

Windows NT/2000/XP: Included in Windows NT 3.1 and later, Windows 2000, Windows XP, and Windows .NET Server 2003 family.
Windows 95/98/Me: Unsupported.
Header: Declared in Winnt.h; include Windows.h.

See Also

Access Control Overview, Basic Access Control Structures, AddAce, DeleteAce, GetAclInformation, GetSecurityDescriptorDacl, GetSecurityDescriptorSacl, InitializeAcl, IsValidAcl, SetAclInformation, SetSecurityDescriptorDacl, SetSecurityDescriptorSacl

Platform SDK Release: October 2002
What did you think of this topic?
Let us know.		 Order a Platform SDK CD Online
(U.S./Canada)   (International)

 
  Contact Us   |   E-Mail this Page   |   MSDN Flash Newsletter   |   Legal
  © 2002 Microsoft Corporation. All rights reserved.     Terms of Use    Privacy Statement     Accessibility