The SYSTEM_MANDATORY_LABEL_ACE structure defines an ACE for the SACL that specifies the mandatory access level and policy for a securable object.<47>
Header (4 bytes): An ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by child objects.
Mask (4 bytes): An ACCESS_MASK structure that specifies the access policy for principals with a mandatory integrity level lower than the object associated with the SACL that contains this ACE.
A principal with a lower mandatory level than the object cannot write to the object.
A principal with a lower mandatory level than the object cannot read the object.
A principal with a lower mandatory level than the object cannot execute the object.
Sid (variable): The SID of a trustee. The length of the SID MUST be a multiple of 4. The identifier authority of the SID must be SECURITY_MANDATORY_LABEL_AUTHORITY. The RID of the SID specifies the mandatory integrity level of the object associated with the SACL that contains this ACE. The RID must be one of the following values.
Untrusted integrity level.
Low integrity level.
Medium integrity level.
High integrity level.
System integrity level.
Protected process integrity level.