SYSTEM_MANDATORY_LABEL_ACE structure (winnt.h)

The SYSTEM_MANDATORY_LABEL_ACE structure defines an access control entry (ACE) for the system access control list (SACL) that specifies the mandatory access level and policy for a securable object.

Syntax

typedef struct _SYSTEM_MANDATORY_LABEL_ACE {
  ACE_HEADER  Header;
  ACCESS_MASK Mask;
  DWORD       SidStart;
} SYSTEM_MANDATORY_LABEL_ACE, *PSYSTEM_MANDATORY_LABEL_ACE;

Members

Header

An ACE_HEADER structure that specifies the size and type of the ACE. The structure also contains flags that control inheritance of the ACE by child objects. The AceType member of the ACE_HEADER structure must be set to SYSTEM_MANDATORY_LABEL_ACE_TYPE, and the AceSize member must be set to the total number of bytes allocated for the SYSTEM_MANDATORY_LABEL_ACE structure.

Mask

The access policy for principals with a mandatory integrity level lower than the object associated with the SACL that contains this ACE.

Value Meaning
SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
0x1
A principal with a lower mandatory level than the object cannot write to the object.
SYSTEM_MANDATORY_LABEL_NO_READ_UP
0x2
A principal with a lower mandatory level than the object cannot read the object.
SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
0x4
A principal with a lower mandatory level than the object cannot execute the object.

SidStart

Specifies the first DWORD of a SID. The remaining bytes of the SID are stored in contiguous memory after the SidStart member. The identifier authority of the SID must be SECURITY_MANDATORY_LABEL_AUTHORITY. The RID of the SID specifies the mandatory integrity level of the object associated with the SACL that contains this ACE. The RID must be one of the following values.

Value Meaning
0x1000
Low integrity level.
0x2000
Medium integrity level.
0x3000
High integrity level.

Requirements

Requirement Value
Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Header winnt.h (include Windows.h)

See also

ACL