SetEntriesInAcl
[New
- Windows NT]
The SetEntriesInAcl
function creates a new access-control list (ACL) by merging new access-control
or audit-control information into an existing ACLLM6.T4.
DWORD SetEntriesInAcl(
|
ULONG cCountOfExplicitEntries, |
// number of entries in the list |
|
PEXPLICIT_ACCESS pListOfExplicitEntries, |
// pointer to list of entries with new access data |
|
PACL OldAcl, |
// pointer to the original ACL |
|
PACL * NewAcl |
// receives a pointer to the new ACL |
|
); |
|
Parameters
cCountOfExplicitEntries
Specifies the
number of EXPLICIT_ACCESS
structures in the pListOfExplicitEntries array.
pListOfExplicitEntries
Pointer to an
array of EXPLICIT_ACCESS structures that describe the access control
information to merge into the existing ACL.
OldAcl
Pointer to
the existing ACL. This parameter can be NULL, in which case, the function
creates a new ACL based on the EXPLICIT_ACCESS entries.
NewAcl
Pointer to a
variable that receives a pointer to the new ACL. If the function succeeds, you
must call the LocalFree
function to free the returned buffer.
Return Values
If the
function succeeds, the return value is ERROR_SUCCESS.
If the
function fails, the return value is a nonzero error code defined in WINERROR.H.
Remarks
Each entry in
the array of EXPLICIT_ACCESS structures specifies access-control or
audit-control information for a specified trustee. A trustee can be a user, group,
or other SID value, such as a logon identifier or logon type (for instance, a
Windows NT service or batch job). You can use a name or a security identifier (SID) to identify a trustee.
You can use
the SetEntriesInAcl function to modify the list of ACEs in a DACL or a
SACL. A DACL controls access to an object, and a SACL controls the system s
auditing of attempts to access to an object. Note that SetEntriesInAcl
does not prevent you from mixing access-control and audit-control information
in the same ACL;
however, the resulting ACL will contain meaningless entries.
For a DACL,
the grfAccessMode member of the EXPLICIT_ACCESS structure specifies whether
to allow, deny, or revoke access rights for the trustee. This member can
specify one of the following values from the ACCESS_MODE enumeration.
|
Value |
Meaning |
|
GRANT_ACCESS |
Creates a
new access-allowed ACE that combines the specified rights with any existing
rights of the trustee. The new ACE replaces any existing access-allowed ACE
for the trustee. The function also modifies or deletes any existing
access-denied ACE for the trustee that denies the specified rights. |
|
SET_ACCESS |
Similar to
GRANT_ACCESS except that the new access-allowed ACE allows only the specified
rights, discarding any existing rights. This flag also removes any existing
access-denied ACE for the trustee. |
|
DENY_ACCESS |
Creates a
new access-denied ACE that replaces any existing access-denied ACE for the
trustee. The new ACE denies the specified rights in addition to any currently
denied rights of the trustee. The function also modifies or deletes any
existing access-allowed ACE for the trustee that allows the specified rights. |
|
REVOKE_ACCESS |
Removes any
existing ACEs for the specified trustee. The function ignores the rights
specified in the grfAccessPermissions member of the EXPLICIT_ACCESS
structure. |
The SetEntriesInAcl
function places any new access-denied ACEs at the beginning of the list of ACEs
for the new ACL. It
places any new access-allowed ACEs just before any existing access-allowed
ACEs.
For a SACL,
the grfAccessMode member of the EXPLICIT_ACCESS structure can specify the
following values.
|
Value |
Meaning |
|
REVOKE_ACCESS |
Removes any
existing ACEs for the specified trustee. The function ignores the rights
specified in the grfAccessPermissions member of the EXPLICIT_ACCESS
structure. |
|
SET_AUDIT_SUCCESS |
Creates a
new system-audit ACE that replaces any existing system-audit ACE for the
trustee. The new ACE generates audit messages when the specified trustee
successfully uses the specified access rights. The new ACE combines the
specified rights with any existing audited access rights for the trustee. You
can combine this value with SET_AUDIT_FAILURE. |
|
SET_AUDIT_FAILURE |
Creates a
new system-audit ACE that replaces any existing system-audit ACE for the
trustee. The new ACE generates audit messages for failed attempts to use the
specified access rights. The new ACE combines the specified rights with any
existing audited access rights for the trustee. You can combine this value
with SET_AUDIT_SUCCESS. |
The SetEntriesInAcl
function places any new system-audit ACEs at the beginning of the list of ACEs
for the new ACL.
See Also