USER AUTH LowLevel

Low-level Access Control

1 out of 1 rated this helpful - Rate this topicLow-level security functions help you work with security descriptors, access control lists (ACLs), and access control entries (ACEs).For a description of the model, see Access Control Model.TopicDescriptionLow-level Security Descriptor FunctionsFunctions for setting and retrieving an object's security descriptor.Low-level Security Descriptor CreationFunctions for creating a security descriptor and getting and setting the components of a security descriptor.Absolute and Self-Relative Security DescriptorsFunctions for checking or converting between absolute or self-relativeformat.Low-level ACL and ACE FunctionsFunctions for managing ACLs and ACEs. 

Absolute and Self-Relative Security Descriptors

This topic has not yet been rated - Rate this topicA security descriptor can be in either absolute or self-relative format. In absolute format, a security descriptor contains pointers to its information, not the information itself. In self-relative format, a security descriptor stores aSECURITY_DESCRIPTOR structure and associated security information in a contiguous block of memory. To determine whether a security descriptor is self-relative or absolute, call the GetSecurityDescriptorControl function and check the SE_SELF_RELATIVE flag of theSECURITY_DESCRIPTOR_CONTROL parameter. You can use the MakeSelfRelativeSD and MakeAbsoluteSDfunctions for converting between these two formats.The absolute format is useful when you are building a security descriptor and have pointers to all of the components, for example, when default settings for the owner, group, and discretionary ACL are available. In this case, you can call the InitializeSecurityDescriptor function to initialize a SECURITY_DESCRIPTOR structure, and then call functions such as SetSecurityDescriptorDacl to assign ACL and SID pointers to the security descriptor.In self-relative format, a security descriptor always begins with a SECURITY_DESCRIPTOR structure, but the other components of the security descriptor can follow the structure in any order. Instead of using memory addresses, the security descriptor's components are identified by offsets from the beginning of the descriptor. This format is useful when a security descriptor must be stored on disk, transmitted by means of a communications protocol, or copied in memory.Except for MakeAbsoluteSD, all functions that return a security descriptor do so using the self-relative format. Security descriptors passed as arguments to a function can be either self-relative or absolute form. For more information, refer to the documentation for the function.  Send comments about this topic to Microsoft

Low-level Security Descriptor Creation

This topic has not yet been rated - Rate this topicLow-level access control provides a set of functions for creating a security descriptor and getting and setting the components of a security descriptor. The low-level functions for initializing and setting the components of a security descriptor work only with absolute-format security descriptors. The low-level functions for getting the components of a security descriptor work with bothabsolute and self-relative security descriptors.The InitializeSecurityDescriptor function initializes aSECURITY_DESCRIPTOR buffer. The initialized security descriptor is in absolute format and has no owner, primary group, discretionary access control list (DACL), or system access control list (SACL). You can use the following low-level functions to get or set specific components of a specified security descriptor.FunctionDescriptionGetSecurityDescriptorControlRetrieves revision and control information from a security descriptor.GetSecurityDescriptorDaclRetrieves the DACL from a security descriptor.GetSecurityDescriptorGroupRetrieves the primary group security identifier(SID) from a security descriptor.GetSecurityDescriptorLengthReturns the length of a security descriptor.GetSecurityDescriptorOwnerRetrieves the owner SID from a security descriptor.GetSecurityDescriptorSaclRetrieves the SACL from a security descriptor.SetSecurityDescriptorDaclPuts a DACL into a security descriptor, superseding any existing DACL.SetSecurityDescriptorGroupSets the primary group SID of a security descriptor.SetSecurityDescriptorOwnerSets the owner SID of a security descriptor.SetSecurityDescriptorSaclPuts a SACL into a security descriptor, superseding any existing SACL. To check the revision level and structural integrity of a security descriptor, call the IsValidSecurityDescriptorfunction.  Send comments about this topic to MicrosoftBuild date: 10/26/2012
http://msdn.microsoft.com/en-us/library/aa379306(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/aa374807(v=vs.85).aspx