SECURITY_INFORMATION
The SECURITY_INFORMATION data type identifies the object-related security information being set or queried. This security information includes:
- The owner of an object
- The primary group of an object
- The discretionary access control list (DACL) of an object
- The system access control list (SACL) of an object
typedef DWORD SECURITY_INFORMATION, *PSECURITY_INFORMATION;
Remarks
Some SECURITY_INFORMATION members work only with the SetNamedSecurityInfo function. These members are not returned in the structure returned by other security functions such as GetNamedSecurityInfo or ConvertStringSecurityDescriptorToSecurityDescriptor.
Each item of security information is designated by a bit flag. Each bit flag can be one of the following values. For more information, see the SetSecurityAccessMask and QuerySecurityAccessMask functions.
| Value | Right required to query | Right required to set | Meaning |
|---|---|---|---|
|
ATTRIBUTE_SECURITY_INFORMATION |
ACCESS_SYSTEM_SECURITY |
ACCESS_SYSTEM_SECURITY |
The security property of the object being referenced. |
|
BACKUP_SECURITY_INFORMATION |
READ_CONTROL or ACCESS_SYSTEM_SECURITY |
WRITE_DAC or WRITE_OWNER or ACCESS_SYSTEM_SECURITY |
The backup properties of the object being referenced. |
|
DACL_SECURITY_INFORMATION |
READ_CONTROL |
WRITE_DAC |
The DACL of the object is being referenced. |
|
GROUP_SECURITY_INFORMATION |
READ_CONTROL |
WRITE_OWNER |
The primary group identifier of the object is being referenced. |
|
LABEL_SECURITY_INFORMATION |
READ_CONTROL |
WRITE_OWNER |
The mandatory integrity label is being referenced. The mandatory integrity label is an ACE in the SACL of the object. |
|
OWNER_SECURITY_INFORMATION |
READ_CONTROL |
WRITE_OWNER |
The owner identifier of the object is being referenced. |
|
PROTECTED_DACL_SECURITY_INFORMATION |
Not available |
WRITE_DAC |
The DACL cannot inherit access control entries (ACEs). |
|
PROTECTED_SACL_SECURITY_INFORMATION |
Not available |
ACCESS_SYSTEM_SECURITY |
The SACL cannot inherit ACEs. |
|
SACL_SECURITY_INFORMATION |
ACCESS_SYSTEM_SECURITY |
ACCESS_SYSTEM_SECURITY |
The SACL of the object is being referenced. |
|
SCOPE_SECURITY_INFORMATION |
ACCESS_SYSTEM_SECURITY |
ACCESS_SYSTEM_SECURITY |
The Central Access Policy (CAP) identifier applicable on the object that is being referenced. Each CAP identifier is stored in a SYSTEM_SCOPED_POLICY_ID_ACE type in the SACL of the SD. |
|
UNPROTECTED_DACL_SECURITY_INFORMATION |
Not available |
WRITE_DAC |
The DACL inherits ACEs from the parent object. |
|
UNPROTECTED_SACL_SECURITY_INFORMATION |
Not available |
ACCESS_SYSTEM_SECURITY |
The SACL inherits ACEs from the parent object. |
Requirements
|
Minimum supported client | Windows XP |
|---|---|
|
Minimum supported server | Windows Server 2003 |
|
Header |
|
See also
- Access Control
- Basic Access Control Structures
- ConvertSecurityDescriptorToStringSecurityDescriptor
- ConvertStringSecurityDescriptorToSecurityDescriptor
- GetFileSecurity
- GetKernelObjectSecurity
- GetNamedSecurityInfo
- GetPrivateObjectSecurity
- GetSecurityInfo
- GetUserObjectSecurity
- QuerySecurityAccessMask
- SetFileSecurity
- SetKernelObjectSecurity
- SetNamedSecurityInfo
- SetPrivateObjectSecurity
- SetSecurityAccessMask
- SetSecurityInfo
- SetUserObjectSecurity
- TreeResetNamedSecurityInfo
- TreeSetNamedSecurityInfo
Send comments about this topic to Microsoft
Build date: 11/15/2011
PROTECTED_DACL_SECURITY_INFORMATION and PROTECTED_SACL_SECURITY_INFORMATION are metaflags that confirm that you want to set the flag SE_DACL_PROTECTED (0x1000) or SE_SACL_PROTECTED (0x2000) in the security descriptor when calling the high-level security APIs SetNamedSecurityInfo or SetSecurityInfo. In a similar fashion, the metaflags UNPROTECTED_DACL_SECURITY_INFORMATION and UNPROTECTED_SACL_SECURITY_INFORMATION indicate that you want to clear the respective flags in the security descriptor. The low-level security APIs ignore the metaflags.
- 11/29/2007
- Gideon7