Prev Next

EXPLICIT_ACCESS info  Overview  Group

The EXPLICIT_ACCESS structure specifies access-control information for a specified trustee. Access control functions, such as SetEntriesInAcl and GetExplicitEntriesFromAcl, use this structure to describe the information in an access-control entry (ACE) of an access-control list (ACL). 

typedef struct _EXPLICIT_ACCESS {

    DWORD        grfAccessPermissions;

    ACCESS_MODE  grfAccessMode;

    DWORD        grfInheritance;

    TRUSTEE      Trustee;

} EXPLICIT_ACCESS, *PEXPLICIT_ACCESS;

 

Members

grfAccessPermissions
A set of bit flags that use the ACCESS_MASK format to specify the access rights that an ACE allows, denies, or audits for the trustee. The functions that use the EXPLICIT_ACCESS structure do not convert, interpret, or validate the bits in this mask.
grfAccessMode
Specifies a value from the ACCESS_MODE enumeration. For a discretionary ACL (DACL), this flag indicates whether the ACL allows or denies the specified access rights. For a system ACL (SACL), this flag indicates whether the ACL generates audit messages for successful attempts to use the specified access rights, or failed attempts, or both. When modifying an existing ACL, you can specify the REVOKE_ACCESS flag to remove any existing ACEs for the specified trustee.
grfInheritance
A set of bit flags that determines whether other containers or objects can inherit the ACE from the primary object to which the ACL is attached. The value of this member corresponds to the inheritance portion (low-order byte) of the AceFlags member of the ACE_HEADER structure. This parameter can be NO_INHERITANCE to indicate that the ACE is not inheritable; or it can be a combination of the following values.

Value

Meaning

CONTAINER_INHERIT_ACE

Other containers that are contained by the primary object inherit the ACE.

INHERIT_ONLY_ACE

The ACE does not apply to the primary object to which the ACL is attached, but objects contained by the primary object inherit the ACE.

NO_PROPAGATE_INHERIT_ACE

The OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags are not propagated to an inherited ACE.

OBJECT_INHERIT_ACE

Noncontainer objects contained by the primary object inherit the ACE.

SUB_CONTAINERS_ONLY_INHERIT

Other containers that are contained by the primary object inherit the ACE. This flag corresponds to the CONTAINER_INHERIT_ACE flag.

SUB_OBJECTS_ONLY_INHERIT

Noncontainer objects contained by the primary object inherit the ACE. This flag corresponds to the OBJECT_INHERIT_ACE flag.

SUB_CONTAINERS_AND_OBJECTS_INHERIT

Both containers and noncontainer objects that are contained by the primary object inherit the ACE. This flag corresponds to the combination of the CONTAINER_INHERIT_ACE and OBJECT_INHERIT_ACE flags.

Trustee
A TRUSTEE structure that identifies the user, group, or program (such as a Windows NT service) to which the ACE applies.

See Also

ACCESS_MODE, ACE, ACE_HEADER, ACL, BuildExplicitAccessWithName, BuildSecurityDescriptor, GetExplicitEntriesFromAcl, LookupSecurityDescriptorParts, SetEntriesInAcl, TRUSTEE