SECURITY_DESCRIPTOR_CONTROL
The SECURITY_DESCRIPTOR_CONTROL data type is a set of bit flags that qualify the meaning of a security descriptor or its components. Each security descriptor has a Control member that stores the SECURITY_DESCRIPTOR_CONTROL bits.
typedef WORD SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL;
Remarks
To get the control bits of a security descriptor, call the GetSecurityDescriptorControl function. To set the control bits of a security descriptor, use the functions for modifying security descriptors. For a list of these functions, see the See Also section.
Applications can use the SetSecurityDescriptorControl function to set the control bits that relate to automatic inheritance of ACEs.
The control value retrieved by the GetSecurityDescriptorControl function can include a combination of the following SECURITY_DESCRIPTOR_CONTROL bit flags.
| Value | Meaning |
|---|---|
| SE_DACL_AUTO_INHERIT_REQ 0x0100 |
Indicates a required security descriptor in which the discretionary access control list (DACL) is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects. For access control lists (ACLs) that support auto inheritance, this bit is always set. Protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function to convert a security descriptor and set this flag. |
| SE_DACL_AUTO_INHERITED 0x0400 |
Indicates a security descriptor in which the discretionary access control list (DACL) is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects. For access control lists (ACLs) that support auto inheritance, this bit is always set. Protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function to convert a security descriptor and set this flag. |
| SE_DACL_DEFAULTED 0x0008 |
Indicates a security descriptor with a default DACL. For example, if the creator an object does not specify a DACL, the object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL with respect to ACE inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set. This flag is used to determine how the final DACL on the object is to be computed and is not stored physically in the security descriptor control of the securable object. To set this flag, use the SetSecurityDescriptorDacl function. |
| SE_DACL_PRESENT 0x0004 |
Indicates a security descriptor that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the security descriptor allows full access to everyone. This flag is used to hold the security information specified by a caller until the security descriptor is associated with a securable object. After the security descriptor is associated with a securable object, the SE_DACL_PRESENT flag is always set in the security descriptor control. To set this flag, use the SetSecurityDescriptorDacl function. |
| SE_DACL_PROTECTED 0x1000 |
Prevents the DACL of the security descriptor from being modified by inheritable ACEs. To set this flag, use the SetSecurityDescriptorControl function. |
| SE_GROUP_DEFAULTED 0x0002 |
Indicates that the security identifier (SID) of the security descriptor group was provided by a default mechanism. This flag can be used by a resource manager to identify objects whose security descriptor group was set by a default mechanism. To set this flag, use the SetSecurityDescriptorGroup function. |
| SE_OWNER_DEFAULTED 0x0001 |
Indicates that the SID of the owner of the security descriptor was provided by a default mechanism. This flag can be used by a resource manager to identify objects whose owner was set by a default mechanism. To set this flag, use the SetSecurityDescriptorOwner function. |
| SE_RM_CONTROL_VALID 0x4000 |
Indicates that the resource manager control is valid. |
| SE_SACL_AUTO_INHERIT_REQ 0x0200 |
Indicates a required security descriptor in which the system access control list (SACL) is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. To convert a security descriptor and set this flag, protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function. |
| SE_SACL_AUTO_INHERITED 0x0800 |
Indicates a security descriptor in which the system access control list (SACL) is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. To convert a security descriptor and set this flag, protected servers can call the ConvertToAutoInheritPrivateObjectSecurity function. |
| SE_SACL_DEFAULTED 0x0008 |
A default mechanism, rather than the original provider of the security descriptor, provided the SACL. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set. To set this flag, use the SetSecurityDescriptorSacl function. |
| SE_SACL_PRESENT 0x0010 |
Indicates a security descriptor that has a SACL. To set this flag, use the SetSecurityDescriptorSacl function. |
| SE_SACL_PROTECTED 0x2000 |
Prevents the SACL of the security descriptor from being modified by inheritable ACEs. To set this flag, use the SetSecurityDescriptorControl function. |
| SE_SELF_RELATIVE 0x8000 |
Indicates a self-relative security descriptor. If this flag is not set, the security descriptor is in absolute format. For more information, see Absolute and Self-Relative Security Descriptors. |
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client |
Windows XP [desktop apps only] |
| Minimum supported server |
Windows Server 2003 [desktop apps only] |
| Header |
|
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for