SECURITY_OBJECT structure (aclui.h)
The SECURITY_OBJECT structure contains the security object information.
Syntax
typedef struct _SECURITY_OBJECT {
PWSTR pwszName;
PVOID pData;
DWORD cbData;
PVOID pData2;
DWORD cbData2;
DWORD Id;
BOOLEAN fWellKnown;
} SECURITY_OBJECT, *PSECURITY_OBJECT;
Members
pwszName
A pointer to the name.
pData
A pointer to the security data.
cbData
The size, in bytes, of the data pointed to by the pData member. This may be zero if pData contains the data, such as when the data is an IUnknown interface pointer, a handle, or data specific to the resource manager that can be stored in pData directly without a memory allocation.
pData2
A pointer to the additional security data.
cbData2
The size, in bytes, of the data pointed to by the pData2 member. This may be zero if pData2 contains the data, such as when the data is an IUnknown interface pointer, a handle, or data specific to the resource manager that can be stored in pData2 directly without a memory allocation.
Id
The identifier for the security object's type. If the fWellKnown member is FALSE, then the Id member has no special significance other than to help resource managers distinguish it from other classes of security objects. If the fWellKnown member is TRUE, then the Id member is one of the following and the entire structure follows the corresponding representation.
| Value | Meaning |
|---|---|
|
The security descriptor of the resource.
If Id is set to this value, then pData points to a security descriptor and cbData is the number of bytes in pData. pData2 is NULL and cbData2 is 0. |
|
The security descriptor of a network share.
If Id is set to this value, then pData points to the ISecurityInformation interface of an object that represents the security context of the share. If the security descriptor is not yet available, then pData2 must be a handle to a waitable object that is signaled when the security descriptor is ready when the GetSecondarySecurity method returns S_FALSE. The waitable object should be created by the CreateEvent function. In this case, cbData2 is 0. This identifier is only applicable to file system objects. |
|
The security descriptor of a central access policy.
If Id is set to this value, then pData points to the security descriptor with an empty DACL, an owner, group, and attribute access control entries (ACEs) that match the resource's owner, group, and attributes as well as a SCOPE_SECURITY_INFORMATION_ACE that contains the central policy's ID. cbData is set to the number of bytes in pData. pData2 is NULL and cbData2 is 0. The security descriptor is constructed to allow computing effective permissions to correctly determine when access is limited by the central policy and higher detail of the central access rule cannot be determined. This is used when a central access policy that applies to a resource cannot be resolved into its elemental central access rules. |
|
The security descriptor of a central access rule.
If Id is set to this value, then pData points to the security descriptor with an owner, group, and attribute ACEs that match the resource's owner, group, and attributes, and a discretionary access control list (DACL) that matches the central access rule's DACL. cbData is set to the number of bytes in pData. In addition, pData2 points to a security descriptor with a DACL that contains a conditional ACE that grants 0x1 to Everyone if the resource condition from the central access rule evaluates to TRUE. cbData2 is set to the number of bytes in pData2. The security descriptor is constructed to allow computing effective permissions to determine when access is limited by the central access policy at the highest detail. That is, access is limited by pointing to a central policy rule. |
fWellKnown
TRUE if the security object represents one of the well-know security objects listed in the Id member.
Remarks
When the Id member the SECURITY_OBJECT structure is set to SECURITY_OBJECT_ID_CENTRAL_ACCESS_RULE, the ComputeEffectivePermissionWithSecondarySecurity method must use the pData2 member of first and only then evaluate the access using the pData member.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 8 [desktop apps only] |
| Minimum supported server | Windows Server 2012 [desktop apps only] |
| Header | aclui.h |
See also
IEffectivePermission2::ComputeEffectivePermissionWithSecondarySecurity
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for