The following table describes the XML schema elements and
attributes. Unless otherwise indicated, the data type is
string.
Element |
Description, relationships, and attributes |
ace
|
Description:
Access control elements (ACEs) for the SACL.
Parent:
sacl
Children:
inheritance (minOccurs="1" maxOccurs="1", output only)
inheritedObjectTypeName (minOccurs="0" maxOccurs="1", output
only)
mode (minOccurs="1" maxOccurs="1", output only)
objectTypeName (minOccurs="0" maxOccurs="1", output
only)
permission (minOccurs="1" maxOccurs="1", output only)
trustee (minOccurs="1" maxOccurs="1", output only)
trusteeForm (minOccurs="1" maxOccurs="1", output only)
trusteeType (minOccurs="1" maxOccurs="1", output
only) |
executeData
|
Description:
Encapsulates the procedure's input and output data.
Children:
name (minOccurs="1" maxOccurs="1", input only)
objectType (minOccurs="1" maxOccurs="1", input only)
sacl (minOccurs="0" maxOccurs="1", output only) |
inheritance
|
Description:
Set of bit flags that determines whether other containers or
objects can inherit the ACE from the primary object to which the
SACL is attached. The value of this member corresponds to the
inheritance portion (low-order byte) of the AceFlags member
of the ACE_HEADER structure. This parameter can be zero to indicate
that the ACE is not inheritable; or it can be a combination of the
values in the AceFlags table. For example:
<ace>
<inheritance>3</inheritance>
</ace>
AceFlags:
0x0 |
Default. This ACE will not be inherited by other objects. |
0x1 |
Non-container objects contained by the primary object inherit
the ACE. |
0x2 |
Other containers contained by the primary object inherit the
ACE. |
0x3 |
Both containers and non-container objects contained by the
primary object inherit the ACE. |
0x4 |
The SUB_OBJECTS_ONLY_INHERIT and SUB_CONTAINERS_ONLY_INHERIT
flags are not propagated to an inherited ACE. |
0x8 |
The ACE does not apply to the primary object to which the ACL
is attached, but objects contained by the primary object inherit
the ACE. |
0x10 |
The permission or restriction is inherited from the parent
object. |
Parent:
ace
|
inheritedObjectTypeName
|
Description:
Type of objects that can inherit the ACE.
Parent:
ace
|
mode
|
Description:
Indicates whether the ACL generates audit messages
(success/failure) for attempts to use the specified access rights.
Specifies a value from the following ACCESS_MODE enumeration.
5 |
Indicates a SYSTEM_AUDIT_ACE that generates audit messages for
successful attempts to use the specified access rights. |
6 |
Indicates a SYSTEM_AUDIT_ACE that generates audit messages for
failed attempts to use the specified access rights. |
Parent:
ace
|
name
|
Description:
Name of the object to update the ACL for. For Microsoft® Active
Directory® objects, this would be the lightweight directory access
protocol (LDAP) path.
Parent:
executeData
|
objectType
|
Description:
One of the object types listed in the following SE_OBJECT_TYPE
table. For Active Directory objects, this should be
SE_DS_OBJECT.
0 |
SE_UNKNOWN_OBJECT_TYPE |
Unknown object type. |
1 |
SE_FILE_OBJECT |
A file or directory. The name string that identifies a file or
directory object can be one of the following.
- A relative path such as Abc.dat or
..\Abc.dat
- An absolute path such as \Abc.dat,
C:\Dir1\Abc.dat, or G:\Remotedir\Abc.dat
- A UNC name such as \\Machinename\Sharename\Abc.dat.
- A local file system root such as \\\\.\\C:. Security set
on a file system root does not persist when the system is
restarted.
|
|
2 |
SE_SERVICE |
A Microsoft® Win32® service. A service object can be a local
service, such as servicename; or a remote service, such as
\\Machinename\Servicename. |
3 |
SE_PRINTER |
A printer. A printer object can be a local printer, such as
Printername; or a remote printer, such as
\\Machinename\Printername. |
4 |
SE_REGISTRY_KEY |
A registry key. A registry key object can be in the local
registry, such as CLASSES_ROOT\somepath; or in a
remote registry, such as
\\Machinename\CLASSES_ROOT\Somepath.
The names of registry keys must use the following literal
strings to identify the predefined registry keys:
CLASSES_ROOT, CURRENT_USER, MACHINE, and
USERS. |
|
5 |
SE_LMSHARE |
A network share. A share object can be local, such as
sharename; or remote, such as
\\Machinename\Sharename. |
6 |
SE_KERNEL_OBJECT |
A local kernel object. The GetSecurityInfo and
SetSecurityInfo functions support all types of kernel
objects. The GetNamedSecurityInfo and
SetNamedSecurityInfo functions work only with the following
kernel objects: semaphore, event, mutex, waitable timer, and file
mapping. |
|
7 |
SE_WINDOW_OBJECT |
A window station or desktop object on the local machine. You
cannot use GetNamedSecurityInfo and
SetNamedSecurityInfo with these objects because the names of
window stations or desktops are not unique. |
8 |
SE_DS_OBJECT |
Microsoft® Windows® 2000: A directory service (DS) object, or a
property set or property of a directory service object.
The name string for a DS object can be a UNC name such as
\\tailspintoys.com\ou1\ou2\someobject.
The name string can also be in X.500 form, such as
"CN=someobject,OU=ou2,OU=ou1,DC=domain,DC=microsoft,DC=com,O=internet". |
|
9 |
SE_DS_OBJECT_ALL |
Windows 2000: A directory service object and all of its
property sets and properties. |
10 |
SE_PROVIDER_DEFINED_OBJECT |
Windows 2000: A provider-defined object. |
11 |
SE_WMIGUID_OBJECT |
Windows 2000: A WMI object. |
Parent:
executeData
|
objectTypeName
|
Description:
String that identifies the type of object, property set, or
property protected by the ACE. If this ACE is inherited, it
identifies the type of object, property set, or property protected
by the inherited ACE. The format varies depending on the value for
trusteeForm.
Parent:
ace
|
permission
|
Description:
Value containing standard, specific, and generic rights. These
rights are used in ACEs and are the primary means of specifying the
requested or granted access to an object. The permission value can
be any combination of bits from the following tables. Each
objectType node has different specific rights that may not
be listed in the following tables.
Standard and generic permissions (ACCESS_MASK):
0x00010000L |
Delete access |
0x00020000L |
Read access to the owner, group, and discretionary access
control list (SACL) of the security descriptor |
0x00040000L |
Write access to the SACL |
0x00080000L |
Write access to owner |
0x00100000L |
Microsoft® Windows NT® or Windows 2000: Synchronize access |
0x01000000L |
Access system security (ACCESS_SYSTEM_SECURITY). This flag is
not a typical access type. It is used to indicate access to a
system ACL. This type of access requires the calling process to
SE_SECURITY_NAME (Manage auditing and security log) privilege. If
this flag is set in the access mask of an audit access ACE
(successful or unsuccessful access), the SACL access will be
audited. |
0x02000000L |
Maximum allowed |
0x10000000L |
Generic all |
0x20000000L |
Generic execute |
0x40000000L |
Generic write |
0x80000000L |
Generic read |
Active Directory permissions (ADS_RIGHTS_ENUM):
0x1 |
The right to create children of the object. The
ObjectType member of an ACE can contain a globally unique
identifier (GUID) that identifies the type of child object whose
creation is being controlled. If ObjectType does not contain
a GUID, the ACE controls the creation of all child object
types. |
0x2 |
The right to delete children of the object. The
ObjectType member of an ACE can contain a GUID that
identifies a type of child object whose deletion is being
controlled. If ObjectType does not contain a GUID, the ACE
controls the deletion of all child object types. |
0x4 |
The right to list children of this object. |
0x8 |
The right to modify the group membership of a group
object. |
0x10 |
The right to read properties of the object. The
ObjectType member of an ACE can contain a GUID that
identifies a property set or property. If ObjectType does
not contain a GUID, the ACE controls the right to read all of the
object's properties. |
0x20 |
The right to write properties of the object. The
ObjectType member of an ACE can contain a GUID that
identifies a property set or property. If ObjectType does
not contain a GUID, the ACE controls the right to write all of the
object's properties. |
0x40 |
The right to delete all children of this object, regardless of
the permission on the children. |
0x80 |
The right to list an object. If the user is not granted such a
right, the object is hidden from the user. |
0x100 |
The right to perform an operation controlled by an extended
access right. The ObjectType member of an ACE can contain a
GUID that identifies the extended right. If ObjectType does
not contain a GUID, the ACE controls the right to perform all
extended right operations associated with the object. |
0x10000 |
The right to delete the object. |
0x20000 |
The right to read information from the security descriptor of
the object, not including the information in the SACL. |
0x40000 |
The right to modify the SACL in the object's security
descriptor. |
0x80000 |
The right to assume ownership of the object. The user must be a
trustee of the object. The user cannot transfer the ownership to
other users. |
0x100000 |
The right to use the object for synchronization. This enables a
thread to wait until the object is in the signaled state. |
0x1000000 |
The right to get or set the SACL in the object's security
descriptor. |
0x80000000 |
The right to read from the security descriptor, examine the
object as well as its children, and read all properties. |
0x40000000 |
The right to write all the properties and write to the SACL.
The user can add and remove the object to and from the
directory. |
0x20000000 |
The right to list children of this object. |
0x10000000 |
The right to create or delete children, delete a subtree, read
and write properties, examine children and the object itself, add
and remove the object from the directory, and read or write with an
extended right. |
Registry permissions:
0x0001 |
Permission to query subkey data. |
0x0002 |
Permission to set subkey data. |
0x0004 |
Permission to create subkeys. |
0x0008 |
Permission to enumerate subkeys. |
0x0010 |
Permission for change notification. |
0x0020 |
Permission to create a symbolic link. |
File system permissions:
0x0001 |
Right to read data from the file. For a directory, the right to
list the contents of the directory. |
0x0002 |
Right to write data to the file. For a directory, the right to
create a file in the directory. |
0x0004 |
Right to append data to the file. For a directory, the right to
create a subdirectory. |
0x0008 |
Right to read extended attributes. |
0x0010 |
Right to write extended attributes. |
0x0020 |
Right to execute a program. |
0x0040 |
For a directory, the right to delete a subdirectory. |
0x0080 |
Right to read file attributes. |
0x0100 |
Right to write file attributes. |
Parent:
ace
|
sacl
|
Description:
SACL for the specified object. The returned list contains both
inherited and non-inherited ACEs. Returned values are decimals
rather than enumeration strings.
Parent:
executeData
Child:
ace (minOccurs="0" maxOccurs="*") |
trustee
|
Description:
Identifies the user, group, or program (such as a Win32 service) to
which the ACE applies. The format varies depending on the value for
the trusteeForm node.
Parent:
ace
|
trusteeForm
|
Description:
Indicates the type of value in the trustee node. Specifies a
value from the following TRUSTEE_FORM enumeration.
0 |
trustee is the security identifier (SID) of the
trustee. |
1 |
trustee is the name of the trustee. |
3 |
trustee is the SID of the trustee. Returns
objectTypeName and/or inheritedObjectTypeName. |
4 |
trustee is the name of the trustee. Returns
objectTypeName and/or inheritedObjectTypeName. |
Parent:
ace
|
trusteeType
|
Description:
Indicates whether the trustee is a user account, a group account,
or the account type is unknown. Specifies a value from the
following TRUSTEE_TYPE enumeration type.
0 |
Trustee type is unknown, but not necessarily invalid. |
1 |
Indicates a user. |
2 |
Indicates a group. |
3 |
Indicates an Active Directory domain. |
4 |
Indicates an alias. |
5 |
Indicates a well-known group. |
6 |
Indicates a deleted account. |
7 |
Indicates an invalid trustee type. |
8 |
Indicates a computer. |
Parent:
ace
|
|