ACL-based Access Control

Just as the system uses security descriptors to control access to securable objects, a server can use security descriptors to control access to its private objects. For more information about the Windows security model, see Access Control Model.

A protected server can create a security descriptor with a DACL that specifies the types of access allowed for various trustees. In a simple case, the server could create a single security descriptor to control access to all of the server's data and functionality. For a finer granularity of protection, the server could create security descriptors for each of its private objects, or for different types of functionality.

For example, when a client asks the server to create a new object in a database, the server could create a security descriptor for the new private object. The server could then store the security descriptor with the private object in the database. When a client tries to access the object, the server retrieves the security descriptor to check the client's access rights. It is important to note that there is nothing in a security descriptor that associates it with the object or functionality it is protecting. Instead, it is up to the protected server to maintain the association.

Access to the private object can also be audited. Refer to Auditing Access to Private Objects for a description of this.