The topic you requested is included in another documentation set. For convenience, it's displayed below. Choose Switch to see the topic in its original location.

SACL Access Right

The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread.

Aa379321.wedge(en-us,VS.85).gifTo access an object's SACL

  1. Call the AdjustTokenPrivileges function to enable the SE_SECURITY_NAME privilege.
  2. Request the ACCESS_SYSTEM_SECURITY access right when you open a handle to the object.
  3. Get or set the object's SACL by using a function such as GetSecurityInfo or SetSecurityInfo.
  4. Call AdjustTokenPrivileges to disable the SE_SECURITY_NAME privilege.

To access a SACL using the GetNamedSecurityInfo or SetNamedSecurityInfo functions, enable the SE_SECURITY_NAME privilege. The function internally requests the access right.

The ACCESS_SYSTEM_SECURITY access right is not valid in a DACL because DACLs do not control access to a SACL. However, you can use the ACCESS_SYSTEM_SECURITY access right in a SACL to audit attempts to use the access right.