Access Control Inheritance

Access-control entries (ACEs) in an object access-control list (ACL) can belong to one of two categories:

  • Effective ACL: ACEs in this category apply to the object.
  • Inherit ACL: ACEs in this category are inherited by objects created in the container.

Each ACE in the DACL can belong to one, or more, categories. The categories for where an ACE belongs are determined by the inheritance control flags set in the ACE.

Three inheritance-control flags can be set in the AceFlags property of an ACE.

FlagDescription
ADS_ACEFLAG_INHERIT_ACEThis flag indicates that the ACE is part of the inherit ACL and that child objects inherit the inheritance control flags of this ACE.
ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACEThis flag indicates that the ACE is part of the inherit ACL, but that no inheritance control flags are propagated to direct child objects (direct descendants) and the ACE is effective on the direct child objects.
ADS_ACEFLAG_INHERIT_ONLY_ACEThis flag indicates that the ACE is not part of effective ACL.

If this flag is not set, then the ACE is part of the effective ACL. This flag is useful for setting permissions inheritable by subobjects, but do not affect accessibility of the container. For example, if an ACE is intended to be inherited by user objects in a organizational unit, it is likely that it should not be enforced for access to the organizational unit itself.

 

The ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE and ADS_ACEFLAG_INHERIT_ONLY_ACE flags are meaningful only if ADS_ACEFLAG_INHERIT_ACE is present. This is because the ADS_ACEFLAG_INHERIT_ACE flag adds inheritance behavior to an inheritable ACE, but does not define the type of inheritance. The ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE and ADS_ACEFLAG_INHERIT_ONLY_ACE flags define a specific type of inheritance behavior.

It is important to remember that the system also sets the following flags based on the type and state of the ACE.

FlagDescription
ADS_ACEFLAG_INHERITED_ACEThis flag indicates that the ACE was inherited.
ADS_ACEFLAG_VALID_INHERIT_FLAGSThis flag indicates that the inherit flags are valid.

 

The following table lists the effects of the different flag combinations for the AceFlags property of an ACE.

FlagEffect on object containing the ACEEffect on direct child objectsEffect on objects below direct children
No flags set.Effective ACE: ACE applies to the object.ACE is not inherited.ACE is not inherited.
ADS_ACEFLAG_INHERIT_ACEEffective ACEACE is inherited.

ACE is an effective ACE.

ACE is inherited.

ACE is an effective ACE.

ADS_ACEFLAG_INHERIT_ACE | ADS_ACEFLAG_INHERIT_ONLY_ACENot an Effective ACE: ACE does not apply to the object.ACE is inherited.

ACE is an effective ACE.

ACE is inherited.

ACE is an effective ACE.

ADS_ACEFLAG_INHERIT_ACE | ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACEEffective ACEACE is inherited but without inheritance flags.

ACE is an Effective ACE

ACE is not inherited.
ADS_ACEFLAG_INHERIT_ACE | ADS_ACEFLAG_INHERIT_ONLY_ACE | ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACENot an Effective ACE.ACE is inherited but without inheritance flags.

ACE is an Effective ACE.

ACE is not inherited.

 

 

 

Show: