AddMandatoryAce function

The AddMandatoryAce function adds a SYSTEM_MANDATORY_LABEL_ACE access control entry (ACE) to the specified system access control list (SACL).

Syntax

C++
Copy 

BOOL WINAPI AddMandatoryAce(
  _Inout_ PACL  pAcl,
  _In_    DWORD dwAceRevision,
  _In_    DWORD AceFlags,
  _In_    DWORD MandatoryPolicy,
  _In_    PSID  pLabelSid
);

Parameters

pAcl [in, out]

A pointer to an SACL. This function adds a mandatory ACE to the end of this SACL. The ACE is in the form of a SYSTEM_MANDATORY_LABEL_ACE structure.

dwAceRevision [in]

The revision level of the SACL being modified. This value can be one of the following values.

ValueMeaning
ACL_REVISION

The SACL does not contain object-specific ACEs.

ACL_REVISION_DS

The SACL contains object-specified ACEs.

 

AceFlags [in]

A set of bit flags that control ACE inheritance. This function sets these flags in the AceFlags member of the ACE_HEADER structure of the new ACE.

This parameter can be a combination of the following values.

ValueMeaning
OBJECT_INHERIT_ACE
0x1

The ACE is inherited by noncontainer objects.

CONTAINER_INHERIT_ACE
0x2

The ACE is inherited by container objects.

NO_PROPAGATE_INHERIT_ACE
0x4

The OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE bits are not propagated to an inherited ACE.

INHERIT_ONLY_ACE
0x8

The ACE does not apply to the object to which the SACL is assigned, but the ACE can be inherited by child objects.

INHERITED_ACE
0x10

The ACE is inherited. Operations that change the security on a tree of objects may modify inherited ACEs without changing ACEs that were directly applied to the object.

 

MandatoryPolicy [in]

The access policy for principals with a mandatory integrity level lower than the object associated with the SACL that contains this ACE.

ValueMeaning
SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
0x1

A principal with a lower mandatory level than the object cannot write to the object.

SYSTEM_MANDATORY_LABEL_NO_READ_UP
0x2

A principal with a lower mandatory level than the object cannot read the object.

SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
0x4

A principal with a lower mandatory level than the object cannot execute the object.

 

pLabelSid [in]

A pointer to an SID that specifies the mandatory integrity level of the object associated with the SACL being appended.

Return value

If the function succeeds, it returns TRUE.

If the function fails, it returns FALSE. For extended error information, call GetLastError. The following are possible error values.

Return code/valueDescription
ERROR_ALLOTTED_SPACE_EXCEEDED
0x540

The new ACE does not fit into the pAcl buffer.

 

Remarks

To compile an application that uses this function, define _WIN32_WINNT as 0x0600 or later. For more information, see Using the Windows Headers.

Requirements

Minimum supported client

Windows Vista [desktop apps | UWP apps]

Minimum supported server

Windows Server 2008 [desktop apps | UWP apps]

Header
Securitybaseapi.h (include WinBase.h);
WinBase.h on Windows Server 2008 R2, Windows 7, Windows Server 2008 and Windows Vista (include Windows.h)

Library
Advapi32.lib

DLL
Advapi32.dll

See also

SYSTEM_MANDATORY_LABEL_ACE

 

 

Show: