Modifying an Item's Discretionary Access Control List

Topic Last Modified: 2006-06-11

To modify an item's discretionary access control list (DACL), you manage the access control entries in the effective_aces, subcontainer_inheritable_aces, and subitem_inheritable_aces sections of the DACL.

The following example demonstrates how to add access-allowed and access-denied ACEs to an item's DACL.

JScript

Example

function addAccessAllowedAce( XMLDomDescriptor, sdACEElem ) {
 var p = XMLDomDescriptor.documentElement.prefix;
 WScript.Echo("descriptor prefix: " + prefix);
 if(p != "")
  p += ":";
 var daclElem = XMLDomDescriptor.selectSingleNode("/"+p+"security_descriptor/"+p+"dacl");
 if(daclElem == null)
  throw "ERR: No discretionary access control list in descriptor";

 var effAcesElem = daclElem.selectSingleNode(p+"effective_aces");
 if(effAcesElem == null)
   throw "ERR: No effective aces!";

 effAcesElem.appendChild(sdACEElem);

 return;
}

function addAccessDeniedAce( XMLDomDescriptor, sdACEElem ) {
 var p = XMLDomDescriptor.documentElement.prefix;
 WScript.Echo("descriptor prefix: " + prefix);
 if(p != "")
  p += ":";
 var daclElem = XMLDomDescriptor.selectSingleNode("/"+p+"security_descriptor/"+p+"dacl");
 if(daclElem == null)
  throw "ERR: No discretionary access control list in descriptor";

 var effAcesElem = daclElem.selectSingleNode(p+"effective_aces");
 if(effAcesElem == null)
   throw "ERR: No effective aces!";

 effAcesElem.insertBefore( sdACEElem , effAcesElem.firstChild);

 return;
}