SACL Access Right
The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread.
To access an object's SACL
- Call the AdjustTokenPrivileges function to enable the SE_SECURITY_NAME privilege.
- Request the ACCESS_SYSTEM_SECURITY access right when you open a handle to the object.
- Get or set the object's SACL by using a function such as GetSecurityInfo or SetSecurityInfo.
- Call AdjustTokenPrivileges to disable the SE_SECURITY_NAME privilege.
The ACCESS_SYSTEM_SECURITY access right is not valid in a DACL because DACLs do not control access to a SACL. However, you can use the ACCESS_SYSTEM_SECURITY access right in a SACL to audit attempts to use the access right.