Home Library Learn Downloads Support Community
Sign in | United States - English | |
2 out of 10 rated this helpful - Rate this topic

SetSecurityInfo function

Applies to: desktop apps only

The SetSecurityInfo function sets specified security information in the security descriptor of a specified object. The caller identifies the object by a handle.

To set the SACL of an object, the caller must have the SE_SECURITY_NAME privilege enabled.

Syntax

Copy 
DWORD WINAPI SetSecurityInfo(
  __in      HANDLE handle,
  __in      SE_OBJECT_TYPE ObjectType,
  __in      SECURITY_INFORMATION SecurityInfo,
  __in_opt  PSID psidOwner,
  __in_opt  PSID psidGroup,
  __in_opt  PACL pDacl,
  __in_opt  PACL pSacl
);

Parameters

handle [in]

A handle to the object for which to set security information.

ObjectType [in]

A member of the SE_OBJECT_TYPE enumeration that indicates the type of object identified by the handle parameter.

SecurityInfo [in]

A set of bit flags that indicate the type of security information to set. This parameter can be a combination of the SECURITY_INFORMATION bit flags.

ValueMeaning
OWNER_SECURITY_INFORMATION
0x00000001

Include the owner.

GROUP_SECURITY_INFORMATION
0x00000002

Include the primary group.

DACL_SECURITY_INFORMATION
0x00000004

Include the discretionary access control list (DACL).

SACL_SECURITY_INFORMATION
0x00000008

Include the system access control list (SACL).

LABEL_SECURITY_INFORMATION
0x00000010

Include the mandatory integrity label access control entry (ACE).

ATTRIBUTE_SECURITY_INFORMATION
0x00000020

Include the attribute information of the SACL.

Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP:  This value is not supported.
SCOPE_SECURITY_INFORMATION
0x00000040

Include the central access policy (CAP) identifier of the SACL.

Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP:  This value is not supported.

 

psidOwner [in, optional]

A pointer to a SID that identifies the owner of the object. The SID must be one that can be assigned as the owner SID of a security descriptor. The SecurityInfo parameter must include the OWNER_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the owner SID.

psidGroup [in, optional]

A pointer to a SID that identifies the primary group of the object. The SecurityInfo parameter must include the GROUP_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the primary group SID.

pDacl [in, optional]

A pointer to the new DACL for the object. This parameter is ignored unless the value of the SecurityInfo parameter includes the DACL_SECURITY_INFORMATION flag. If the value of the SecurityInfo parameter includes the DACL_SECURITY_INFORMATION flag and the value of this parameter is set to NULL, full access to the object is granted to everyone. For information about null DACLs, see Creating a DACL.

pSacl [in, optional]

A pointer to the new SACL for the object. The SecurityInfo parameter must include the SACL_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the SACL.

Return value

If the function succeeds, the function returns ERROR_SUCCESS.

If the function fails, it returns a nonzero error code defined in WinError.h.

Remarks

If you are setting the discretionary access control list (DACL) or system access control list (SACL) of an object, the system automatically propagates any inheritable access control entries (ACEs) to existing child objects, according to the ACE inheritance rules.

You can use the SetSecurityInfo function with the following types of objects:

  • Local or remote files or directories on an NTFS
  • Named pipes
  • Local or remote printers
  • Local or remote Windows services
  • Network shares
  • Registry keys
  • Semaphores, events, mutexes, and waitable timers
  • Processes, threads, jobs, and file-mapping objects
  • Window stations and desktops
  • Directory service objects

The SetSecurityInfo function does not reorder access-allowed or access-denied ACEs based on the preferred order. When propagating inheritable ACEs to existing child objects, SetSecurityInfo puts inherited ACEs in order after all of the noninherited ACEs in the DACLs of the child objects.

Note  If share access to the children of the object is not available, this function will not propagate unprotected ACEs to the children. For example, if a directory is opened with exclusive access, the operating system will not propagate unprotected ACEs to the subdirectories or files of that directory when the security on the directory is changed.

Requirements

Minimum supported client

Windows XP

Minimum supported server

Windows Server 2003

Header
Aclapi.h

Library
Advapi32.lib

DLL
Advapi32.dll

See also

Access Control
Basic Access Control Functions
ACL
GetNamedSecurityInfo
GetSecurityInfo
SE_OBJECT_TYPE
SECURITY_DESCRIPTOR
SECURITY_INFORMATION
SetNamedSecurityInfo
SID

 

 

Send comments about this topic to Microsoft

Build date: 3/7/2012

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
WRITE_DAC needed as dwDesiredAccess to change the DACL on a file
In order to change the DACL, the WRITE_DAC bit needs to be OR-ed in in the dwDesiredAccess parameter to CreateFile In general, the requirements for different securable objects are described separately [File|Process|etc] Security and Access Rights e.g: http://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx
History
Not Immediate
While this method may return the access control change may not be fully propogated and may be performed in the background.
History