|
Access-Control Lists (ACLs)
An access-control list (ACL) contains information that controls access to an
object or controls auditing of attempts to access an object. An ACL is an opaque
structure that you can attach to the security descriptor of an object.
An ACL begins with a header in the form of an ACL structure. The header contains information pertaining to the entire ACL,
including the revision level of the structure, the size (in bytes) of the ACL, and
the number of access-control entries (ACEs) in the list. To retrieve this
information, you can use the GetAclInformation function. To change the revision level, you can use the SetAclInformation function.
Following the ACL header is a list of access-control entries (ACEs). Each ACE specifies a trustee, a set of access rights, and a set of flags
that indicate whether the rights are allowed, denied, or audited for the trustee.
A trustee can be a user account, group account, or a logon account for a
program such as a Windows NT service.
Security descriptors use access-control lists to allow, deny, or audit attempts to access the
object to which the security descriptor is attached. A security descriptor can
contain two types of ACLs: a discretionary ACL (DACL) and a system ACL (SACL).
In a DACL, each ACE specifies the types of access that are allowed or denied
for a specified trustee. An object's owner controls the information in the
object's DACL. For example, the owner of a file can use a DACL to control which
users can have access to the file, and which users are denied access.
If the security descriptor for an object does not have a DACL, the object is
not protected and the system allows all attempts to access the object. However,
if an object has a DACL that contains no ACEs, the DACL does not grant any access rights. In this case, the system denies all attempts to access the object. For
information about setting an object's DACL, see Allowing Access.
In a SACL, each ACE specifies the types of access attempts by a specified
trustee that cause the system to generate audit records in the system event log. A
system administrator controls the information in the object's SACL. An ACE in a
SACL can generate audit records when an access attempt fails, when it
succeeds, or both. In future releases, a SACL will also be able to raise an alarm when
an unauthorized user attempts to gain access to an object.
Related Links
Software for Delphi and C++ Builder developers
Software for Visual Studio .NET developers
Software for Visual Basic 6 developers
Delphi Tips&Tricks
MegaDetailed.NET
TMS Scripter Studio Pro components for Delphi/C++Builder
More Online Helps
Win32 Multimedia Programmer's Reference (mmedia.hlp)
OLE Programmer's Reference (ole.hlp)
Microsoft Windows Pen API Programmer's Reference (penapi.hlp)
Microsoft Windows Sockets 2 Reference (sock2.hlp)
Microsoft Windows Telephony API (TAPI) Programmer's Reference (tapi.hlp)
Unix Manual Pages
|
