Expand Minimize

SetPrivateObjectSecurity function

The SetPrivateObjectSecurity function modifies a private object's security descriptor.

To specify whether the protected server supports automatic inheritance of access control entries (ACEs), use the SetPrivateObjectSecurityEx function.

Syntax


BOOL WINAPI SetPrivateObjectSecurity(
  _In_      SECURITY_INFORMATION SecurityInformation,
  _In_      PSECURITY_DESCRIPTOR ModificationDescriptor,
  _Inout_   PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
  _In_      PGENERIC_MAPPING GenericMapping,
  _In_opt_  HANDLE Token
);

Parameters

SecurityInformation [in]

Indicates the parts of the security descriptor to set. This value can be a combination of the SECURITY_INFORMATION bit flags.

ModificationDescriptor [in]

A pointer to a SECURITY_DESCRIPTOR structure. The parts of this security descriptor indicated by the SecurityInformation parameter are applied to the ObjectsSecurityDescriptor security descriptor.

ObjectsSecurityDescriptor [in, out]

A pointer to a pointer to a SECURITY_DESCRIPTOR structure. This security descriptor must be in self-relative form.

On input, this is the current security descriptor of the private object. The function modifies it to produce the new security descriptor. If necessary, the SetPrivateObjectSecurity function allocates additional memory to produce a larger security descriptor.

GenericMapping [in]

A pointer to a GENERIC_MAPPING structure that specifies the specific and standard access rights that correspond to each of the generic access rights.

Token [in, optional]

A handle to the access token for the client on whose behalf the private object's security is being modified. This parameter is required to ensure that the client has provided a legitimate value for a new owner security identifier (SID). The token must be open for TOKEN_QUERY access.

Return value

If the function succeeds, the function returns nonzero.

If the function fails, it returns zero. To get extended error information, call GetLastError.

Remarks

This function is intended for use by resource managers only. To implement the standard access control semantics for updating security descriptors, a resource manager should verify that the following conditions are met before calling SetPrivateObjectSecurity:

  • If the object's owner is being set, the calling process must have either WRITE_OWNER permission or be the object's owner.
  • If the object's discretionary access control list (DACL) is being set, the calling process must have either WRITE_DAC permission or be the object's owner.
  • If the object's system access control list (SACL) is being set, the SE_SECURITY_NAME privilege must be enabled for the calling process.

If the preceding conditions are not met, a call to this function does not fail; however, standard access policy is not enforced.

The process calling this function should not be impersonating a client because clients do not typically have appropriate privileges required for underlying token operations.

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Winbase.h (include Windows.h)

Library

Advapi32.lib

DLL

Advapi32.dll

See also

Client/Server Access Control Overview
Client/Server Access Control Functions
CreatePrivateObjectSecurity
DestroyPrivateObjectSecurity
GENERIC_MAPPING
GetPrivateObjectSecurity
SECURITY_DESCRIPTOR
SECURITY_INFORMATION
SetFileSecurity
SetKernelObjectSecurity
SetPrivateObjectSecurityEx
SetUserObjectSecurity

 

 

Community Additions

ADD
Show:
© 2014 Microsoft