4.2 Security Descriptors

The security descriptor is a collection of four main elements. The owner field is a SID that specifies the owner of the resource. The group field specifies the group associated with the resource. The group field is not evaluated by Windows components, and it exists for POSIX compatibility. The DACL field specifies the discretionary access control list, and the SACL field specifies the system access control list (SACL).

When associated with a resource, the security descriptor is intended to be opaque. The resource manager should never be required to examine the contents of the security descriptor. The security descriptor fields can be used by the resource manager for other purposes, however. For example, the file system can implement a storage quota system by using the owner field associate resources consumed with an owner for billing.