2.4.4.14 SYSTEM_AUDIT_CALLBACK_OBJECT_ACE
The SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure defines an ACE for a SACL. The ACE can audit access to an object or subobjects, such as property sets or properties. The ACE contains a set of user rights, a GUID that identifies the type of object or subobject, and a SID that identifies the trustee for whom the system will audit access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Header |
|||||||||||||||||||||||||||||||
Mask |
|||||||||||||||||||||||||||||||
Flags |
|||||||||||||||||||||||||||||||
ObjectType (16 bytes) |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
InheritedObjectType (16 bytes) |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
Sid (variable) |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
ApplicationData (variable) |
|||||||||||||||||||||||||||||||
... |
Header (4 bytes): An ACE_HEADER structure that specifies the size and type of ACE. It contains flags that control inheritance of the ACE by child objects.
Mask (4 bytes): An ACCESS_MASK structure that specifies the user rights that cause audit messages to be generated.
-
Value
Meaning
ADS_RIGHT_DS_CONTROL_ACCESS
0X00000100
The ObjectType GUID identifies an extended access right.
ADS_RIGHT_DS_CREATE_CHILD
0X00000001
The ObjectType GUID identifies a type of child object. The ACE controls the trustee's right to create this type of child object.
ADS_RIGHT_DS_READ_PROP
0x00000010
The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to read the property or property set.
ADS_RIGHT_DS_WRITE_PROP
0x00000020
The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to write the property or property set.
ADS_RIGHT_DS_SELF
0x00000008
The ObjectType GUID identifies a validated write.
Flags (4 bytes): A 32-bit unsigned integer that specifies a set of bit flags that indicate whether the ObjectType and InheritedObjectType fields contain valid data. This parameter can be one or more of the following values.
-
Value
Meaning
0x00000000
Neither ObjectType nor InheritedObjectType are valid.
ACE_OBJECT_TYPE_PRESENT
0x00000001
ObjectType is present.
ACE_INHERITED_OBJECT_TYPE_PRESENT
0x00000002
InheritedObjectType is present. If this value is not specified, all types of child objects can inherit the ACE.
ObjectType (16 bytes): A GUID that identifies a property set, property, extended right, or type of child object. The purpose of this GUID depends on the user rights specified in the Mask field. This field is present only if the ACE_OBJECT_TYPE_PRESENT bit is set in the Flags field. Otherwise, the ObjectType field is ignored.
InheritedObjectType (16 bytes): A GUID that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects. This field is present only if the ACE_INHERITED_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, the InheritedObjectType field is ignored.
Sid (variable): The SID of a trustee. The length of the SID MUST be a multiple of 4.
ApplicationData (variable): Optional application data. The size of the application data is determined by the AceSize field of the ACE_HEADER.