Information
The topic you requested is included in another documentation set. For convenience, it's displayed below. Choose Switch to see the topic in its original location.

SACL Access Right

The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread.

Aa379321.wedge(en-us,VS.85).gifTo access an object's SACL

  1. Call the AdjustTokenPrivileges function to enable the SE_SECURITY_NAME privilege.
  2. Request the ACCESS_SYSTEM_SECURITY access right when you open a handle to the object.
  3. Get or set the object's SACL by using a function such as GetSecurityInfo or SetSecurityInfo.
  4. Call AdjustTokenPrivileges to disable the SE_SECURITY_NAME privilege.

To access a SACL using the GetNamedSecurityInfo or SetNamedSecurityInfo functions, enable the SE_SECURITY_NAME privilege. The function internally requests the access right.

The ACCESS_SYSTEM_SECURITY access right is not valid in a DACL because DACLs do not control access to a SACL. However, you can use the ACCESS_SYSTEM_SECURITY access right in a SACL to audit attempts to use the access right.

 

 

Community Additions

Show:
© 2015 Microsoft