2.4.4.3 ACCESS_ALLOWED_OBJECT_ACE
The ACCESS_ALLOWED_OBJECT_ACE structure defines an ACE that controls allowed access to an object, a property set, or property. The ACE contains a set of access rights, a GUID that identifies the type of object, and a SID that identifies the trustee to whom the system will grant access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Header |
|||||||||||||||||||||||||||||||
Mask |
|||||||||||||||||||||||||||||||
Flags |
|||||||||||||||||||||||||||||||
ObjectType (16 bytes) |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
InheritedObjectType (16 bytes) |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
Sid (variable) |
|||||||||||||||||||||||||||||||
... |
Header (4 bytes): An ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by child objects.
Mask (4 bytes): An ACCESS_MASK that specifies the user rights allowed by this ACE.
-
Value
Meaning
ADS_RIGHT_DS_CONTROL_ACCESS
0X00000100
The ObjectType GUID identifies an extended access right.
ADS_RIGHT_DS_CREATE_CHILD
0X00000001
The ObjectType GUID identifies a type of child object. The ACE controls the trustee's right to create this type of child object.
ADS_RIGHT_DS_DELETE_CHILD
0X00000002
The ObjectType GUID identifies a type of child object. The ACE controls the trustee's right to delete this type of child object.
ADS_RIGHT_DS_READ_PROP
0x00000010
The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to read the property or property set.
ADS_RIGHT_DS_WRITE_PROP
0x00000020
The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to write the property or property set.
ADS_RIGHT_DS_SELF
0x00000008
The ObjectType GUID identifies a validated write.
Flags (4 bytes): A 32-bit unsigned integer that specifies a set of bit flags that indicate whether the ObjectType and InheritedObjectType fields contain valid data. This parameter can be one or more of the following values.
-
Value
Meaning
0x00000000
Neither ObjectType nor InheritedObjectType are valid.
ACE_OBJECT_TYPE_PRESENT
0x00000001
ObjectType is present.
ACE_INHERITED_OBJECT_TYPE_PRESENT
0x00000002
InheritedObjectType is present. If this value is not specified, all types of child objects can inherit the ACE.
ObjectType (16 bytes): A GUID that identifies a property set, property, extended right, or type of child object. The purpose of this GUID depends on the user rights specified in the Mask field. This field is present only if the ACE _OBJECT_TYPE_PRESENT bit is set in the Flags field. Otherwise, the ObjectType field is ignored. For information on access rights and for a mapping of the control access rights to the corresponding GUID value that identifies each right, see [MS-ADTS] sections 5.1.3.2 and 5.1.3.2.1.
ACCESS_MASK bits are not mutually exclusive. Therefore, the ObjectType field can be set in an ACE with any ACCESS_MASK. If the AccessCheck algorithm calls this ACE and does not find an appropriate GUID, then that ACE will be ignored. For more information on access checks and object access, see [MS-ADTS] section 5.1.3.3.3.
InheritedObjectType (16 bytes): A GUID that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects. This field is present only if the ACE_INHERITED_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, the InheritedObjectType field is ignored.
Sid (variable): The SID of a trustee. The length of the SID MUST be a multiple of 4.