SACL Access Right

The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread.

To access an object's SACL

  1. Call the AdjustTokenPrivileges function to enable the SE_SECURITY_NAME privilege.
  2. Request the ACCESS_SYSTEM_SECURITY access right when you open a handle to the object.
  3. Get or set the object's SACL by using a function such as GetSecurityInfo or SetSecurityInfo.
  4. Call AdjustTokenPrivileges to disable the SE_SECURITY_NAME privilege.

To access a SACL using the GetNamedSecurityInfo or SetNamedSecurityInfo functions, enable the SE_SECURITY_NAME privilege. The function internally requests the access right.

The ACCESS_SYSTEM_SECURITY access right is not valid in a DACL because DACLs do not control access to a SACL. However, you can use the ACCESS_SYSTEM_SECURITY access right in a SACL to audit attempts to use the access right.