Information
The topic you requested is included in another documentation set. For convenience, it's displayed below. Choose Switch to see the topic in its original location.

Win32_ACE class

The Win32_ACE abstract WMI class specifies an access control entry (ACE). An ACE grants permission to execute a restricted operation, such as writing to a file or formatting a disk. An ACE that is specific to WMI allows logon, remote access, method execution, and writing to the WMI repository.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties. Properties are listed in alphabetic order, not MOF order.

Inheritance

Windows Server 2003:  Inherits from Win32_MethodParameterClass.

Syntax

class Win32_ACE : __ACE
{
  uint32        AccessMask;
  uint32        AceFlags;
  uint32        AceType;
  string        GuidInheritedObjectType;
  string        GuidObjectType;
  Win32_Trustee Trustee;
};

Members

The Win32_ACE class has these types of members:

Properties

The Win32_ACE class has these properties.

AccessMask
Data type: uint32
Access type: Read/write
Qualifiers: WritePrivileges(SeSecurityPrivilege, SeRestorePrivilege)

Bit flags that indicate rights granted or denied to the trustee. For more information, see the Remarks section of this topic.

ValueMeaning
FILE_READ_DATA (file) or FILE_LIST_DIRECTORY (directory)
1 (0x1)

Grants the right to read data from the file. For a directory, this value grants the right to list the contents of the directory.

FILE_WRITE_DATA (file) or FILE_ADD_FILE (directory)
2 (0x2)

Grants the right to write data to the file. For a directory, this value grants the right to create a file in the directory.

FILE_APPEND_DATA (file) or FILE_ADD_SUBDIRECTORY (directory)
4 (0x4)

Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory.

FILE_READ_EA
8 (0x8)

Grants the right to read extended attributes.

FILE_WRITE_EA
16 (0x10)

Grants the right to write extended attributes.

FILE_EXECUTE (file) or FILE_TRAVERSE (directory)
32 (0x20)

Grants the right to execute a file. For a directory, the directory can be traversed.

FILE_DELETE_CHILD
64 (0x40)

Grants the right to delete a directory and all the files it contains (its children), even if the files are read-only.

FILE_READ_ATTRIBUTES
128 (0x80)

Grants the right to read file attributes.

FILE_WRITE_ATTRIBUTES
256 (0x100)

Grants the right to change file attributes.

DELETE
65536 (0x10000)

Grants delete access.

READ_CONTROL
131072 (0x20000)

Grants read access to the security descriptor and owner.

WRITE_DAC
262144 (0x40000)

Grants write access to the discretionary access control list (ACL).

WRITE_OWNER
524288 (0x80000)

Assigns the write owner.

SYNCHRONIZE
1048576 (0x100000)

Synchronizes access and allows a process to wait for an object to enter the signaled state.

 

AceFlags
Data type: uint32
Access type: Read/write
Qualifiers: WritePrivileges(SeSecurityPrivilege, SeRestorePrivilege)

Bit flags that specify inheritance of the ACE. The following table lists the relevant permission values for AceFlags.

PermissionMeaning
OBJECT_INHERIT_ACE
1 (0x1)

Noncontainer child objects inherit the ACE as an effective ACE.

For child objects that are containers, the ACE is inherited as an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.

CONTAINER_INHERIT_ACE
2 (0x2)

Child objects that are containers, such as directories, inherit the ACE as an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.

NO_PROPAGATE_INHERIT_ACE
4 (0x4)

If the ACE is inherited by a child object, the system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE. This prevents the ACE from being inherited by subsequent generations of objects.

INHERIT_ONLY_ACE
8 (0x8)

Indicates an inherit-only ACE which does not control access to the object to which it is attached. If this flag is not set, the ACE is an effective ACE which controls access to the object to which it is attached.

Both effective and inherit-only ACEs can be inherited depending on the state of the other inheritance flags.

INHERITED_ACE
16 (0x10)

The system sets this bit when it propagates an inherited ACE to a child object.

 

The following table lists two possible values for AceFlags that pertain only to an ACE contained within a system access control list (SACL).

PermissionMeaning
SUCCESSFUL_ACCESS_ACE_FLAG
64 (0x40)

Used with system-audit ACEs in an SACL to generate audit messages for successful access attempts.

FAILED_ACCESS_ACE_FLAG
128 (0x80)

Used with system-audit ACEs in an SACL to generate audit messages for failed access attempts.

 

AceType
Data type: uint32
Access type: Read/write
Qualifiers: WritePrivileges(SeSecurityPrivilege, SeRestorePrivilege)

Type of ACE.

ValueMeaning
0

Access Allowed

1

Access Denied

2

Audit

 

GuidInheritedObjectType
Data type: string
Access type: Read/write
Qualifiers: WritePrivileges(SeSecurityPrivilege, SeRestorePrivilege)

Globally unique identifier (GUID) associated with the parent of the object to which these rights apply.

Windows Server 2003:  This property is not available.

GuidObjectType
Data type: string
Access type: Read/write
Qualifiers: WritePrivileges(SeSecurityPrivilege, SeRestorePrivilege)

GUID associated with the type of object to which these rights apply.

Windows Server 2003:  This property is not available.

Trustee
Data type: Win32_Trustee
Access type: Read/write
Qualifiers: WritePrivileges(SeSecurityPrivilege, SeRestorePrivilege)

Object representing the user account, group account, or logon session to which an ACE applies.

Remarks

The Win32_ACE class is derived from Win32_MethodParameterClass.

In the AccessMask property, the values of the individual rights are added together to form the value. For example, to grant the access permissions FILE_WRITE_ATTRIBUTES, FILE_READ_EA and FILE_WRITE_EA you add the associated values 256, 16, and 8. In this example, the value of AccessMask is 280.

Some values have different meanings depending on whether the AccessMask property is associated with a file or a directory. For example, when working with a file, the value 4 means FILE_APPEND_DATA or the right to add data to the file. The same value that is associated with a directory, means FILE_ADD_SUBDIRECTORY and grants the right to create a subdirectory.

Requirements

Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2003

Namespace

\root\CIMV2

MOF

Secrcw32.mof

DLL

CIMWin32.dll

See also

Operating System Classes
WMI Security Descriptor Objects
Win32_SecurityDescriptor
Maintaining WMI Security
Changing Access Security on Securable Objects

 

 

Show:
© 2014 Microsoft