Security Descriptors for Private Objects

To create a security descriptor, a protected server can use the same procedure that an application would use to create a security descriptor for a securable object. For sample code, see Creating a Security Descriptor for a New Object in C++. Alternatively, a protected server application can call the BuildSecurityDescriptor function to do this. If a pointer to an existing self-relative security descriptor is supplied to BuildSecurityDescriptor, it will build the new security descriptor with information taken from that security descriptor merged with new access control information passed as parameters in the function call. The owner and group are optionally specified by TRUSTEE structures passed to the function. The security descriptor created by BuildSecurityDescriptor is in self-relative format.

In addition, the Windows API provides a set of functions for merging client security information with information inherited from the security descriptor for a parent object or from a default security descriptor. The CreatePrivateObjectSecurity, GetPrivateObjectSecurity, SetPrivateObjectSecurity, and DestroyPrivateObjectSecurity functions provide the ability to retrieve default information from an access token, support inheritance, and manipulate specific parts of the security descriptor. This can be useful when a client creates a private object in a hierarchy of secured objects. For example, you could use the CreatePrivateObjectSecurity function to create a security descriptor that contained ACEs specified by the client, ACEs inherited from a parent object, and the default owner from the creating client's access token. While BuildSecurityDescriptor creates security descriptors either from access control information passed into the function call or from an existing security descriptor, CreatePrivateObjectSecurity creates a security descriptor solely from the information in existing security descriptors.

LookupSecurityDescriptorParts function obtains security descriptor information from an existing self-relative security descriptor. This information includes the owner and group specification, the number of ACEs in the SACL or DACL, and the list of ACEs in the SACL or DACL.