An object's ACL can contain ACEs that it inherited from its parent container. For example, a registry subkey can inherit ACEs from the key above it in the registry hierarchy. Likewise, a file in an NTFS file system can inherit ACEs from the directory that contains it.
The ACE_HEADER structure of an ACE contains a set of inheritance flags that control ACE inheritance and the effect of an ACE on the object to which it is attached. The system interprets the inheritance flags and other inheritance information according to the rules of ACE inheritance.
These rules have been enhanced with the following features:
- Support for automatic propagation of inheritable ACEs.
- A flag that differentiates between inherited ACEs and ACEs that were directly applied to an object.
- Object-specific ACEs that allow you to specify the type of child object that can inherit the ACE.
- The ability to prevent a DACL or SACL from inheriting ACEs by setting the SE_DACL_PROTECTED or SE_SACL_PROTECTED bits in the security descriptor's control bits except for SYSTEM_RESOURCE_ATTRIBUTE_ACE and SYSTEM_SCOPED_POLICY_ID_ACE.