Skip to content

SECURITY_DESCRIPTOR_CONTROL

The SECURITY_DESCRIPTOR_CONTROL data type is a set of flags that qualify the meaning of a security descriptor or its components. Each security descriptor has a Control member that stores the SECURITY_DESCRIPTOR_CONTROL bits.

Syntax

enum SECURITY_DESCRIPTOR_CONTROL
{
    SE_OWNER_DEFAULTED                = 1,            //0x0001
    SE_GROUP_DEFAULTED                = 2,            //0x0002
    SE_DACL_PRESENT                   = 4,            //0x0004
    SE_DACL_DEFAULTED                 = 8,            //0x0008
    SE_SACL_PRESENT                   = 16,           //0x0010
    SE_SACL_DEFAULTED                 = 32,           //0x0020
    SE_DACL_AUTO_INHERIT_REQ          = 256,          //0x0100
    SE_SACL_AUTO_INHERIT_REQ          = 512,          //0x0200
    SE_DACL_AUTO_INHERITED            = 1024,         //0x0400
    SE_SACL_AUTO_INHERITED            = 2048,         //0x0800
    SE_DACL_PROTECTED                 = 4096,         //0x1000
    SE_SACL_PROTECTED                 = 8192,         //0x2000
    SE_RM_CONTROL_VALID               = 16384,        //0x4000
    SE_SELF_RELATIVE                  = 32768         //0x8000
}

Constants

  • Flag

  • Description

  • SE_OWNER_DEFAULTED

  • Indicates that the SID of the owner of the security descriptor was provided by a default mechanism. This flag can be used by a resource manager to identify objects whose owner was set by a default mechanism.

  • SE_GROUP_DEFAULTED

  • Indicates that the security identifier (SID) of the security descriptor group was provided by a default mechanism. This flag can be used by a resource manager to identify objects whose security descriptor group was set by a default mechanism.

  • SE_DACL_PRESENT

  • Indicates a security descriptor that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the security descriptor allows full access to everyone. This flag is used to hold the security information specified by a caller until the security descriptor is associated with a securable object. After the security descriptor is associated with a securable object, the SE_DACL_PRESENT flag is always set in the security descriptor control.

  • SE_DACL_DEFAULTED

  • Indicates a security descriptor with a default DACL. For example, if the creator of an object does not specify a DACL, the object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL with respect to ACE inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set. This flag is used to determine how the final DACL on the object is to be computed and is not stored physically in the security descriptor control of the securable object.

  • SE_SACL_PRESENT

  • Indicates a security descriptor that has a SACL.

  • SE_SACL_DEFAULTED

  • A default mechanism, rather than the original provider of the security descriptor, provided the SACL. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag, if the SE_SACL_PRESENT flag is not set.

  • SE_DACL_AUTO_INHERIT_REQ

  • Indicates a required security descriptor in which the discretionary access control list (DACL) is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects. For access control lists (ACLs) that support auto inheritance, this bit is always set.

  • SE_SACL_AUTO_INHERIT_REQ

  • Indicates a required security descriptor in which the system access control list (SACL) is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects.

  • SE_DACL_AUTO_INHERITED

  • Indicates a security descriptor in which the discretionary access control list (DACL) is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects. For access control lists (ACLs) that support auto inheritance, this bit is always set.

  • SE_SACL_AUTO_INHERITED

  • Indicates a security descriptor in which the system access control list (SACL) is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects.

  • SE_DACL_PROTECTED

  • Prevents the DACL of the security descriptor from being modified by inheritable ACEs.

  • SE_SACL_PROTECTED

  • Prevents the SACL of the security descriptor from being modified by inheritable ACEs.

  • SE_RM_CONTROL_VALID

  • Indicates that the resource manager control is valid.

  • SE_SELF_RELATIVE

  • Indicates a self-relative security descriptor. If this flag is not set, the security descriptor is in absolute format.

Requirements

Minimum required version: 2009.1

See also