CDacl Class

This class is a wrapper for a DACL (discretionary access-control list) structure.

Important

This class and its members cannot be used in applications that execute in the Windows Runtime.

Syntax

class CDacl : public CAcl

Members

Public Constructors

Name Description
CDacl::CDacl The constructor.
CDacl::~CDacl The destructor.

Public Methods

Name Description
CDacl::AddAllowedAce Adds an allowed ACE (access-control entry) to the CDacl object.
CDacl::AddDeniedAce Adds a denied ACE to the CDacl object.
CDacl::GetAceCount Returns the number of ACEs (access-control entries) in the CDacl object.
CDacl::RemoveAce Removes a specific ACE (access-control entry) from the CDacl object.
CDacl::RemoveAllAces Removes all of the ACEs contained in the CDacl object.

Public Operators

Name Description
CDacl::operator = Assignment operator.

Remarks

An object's security descriptor can contain a DACL. A DACL contains zero or more ACEs (access-control entries) that identify the users and groups who can access the object. If a DACL is empty (that is, it contains zero ACEs), no access is explicitly granted, so access is implicitly denied. However, if an object's security descriptor does not have a DACL, the object is unprotected and everyone has complete access.

To retrieve an object's DACL, you must be the object's owner or have READ_CONTROL access to the object. To change an object's DACL, you must have WRITE_DAC access to the object.

Use the class methods provided to create, add, remove, and delete ACEs from the CDacl object. See also AtlGetDacl and AtlSetDacl.

For an introduction to the access control model in Windows, see Access Control in the Windows SDK.

Inheritance Hierarchy

CAcl

CDacl

Requirements

Header: atlsecurity.h

CDacl::AddAllowedAce

Adds an allowed ACE (access-control entry) to the CDacl object.

bool AddAllowedAce(  
    const CSid& rSid,
    ACCESS_MASK AccessMask,
    BYTE AceFlags = 0) throw(...);

bool AddAllowedAce(  
    const CSid& rSid,
    ACCESS_MASK AccessMask,
    BYTE AceFlags,
    const GUID* pObjectType,
    const GUID* pInheritedObjectType) throw(...);

Parameters

rSid
A CSid object.

AccessMask
Specifies the mask of access rights to be allowed for the specified CSid object.

AceFlags
A set of bit flags that control ACE inheritance.

pObjectType
The object type.

pInheritedObjectType
The inherited object type.

Return Value

Returns TRUE if the ACE is added to the CDacl object, FALSE on failure.

Remarks

A CDacl object contains zero or more ACEs (access-control entries) that identify the users and groups who can access the object. This method adds an ACE that allows access to the CDacl object.

See ACE_HEADER for a description of the various flags which can be set in the AceFlags parameter.

CDacl::AddDeniedAce

Adds a denied ACE (access-control entry) to the CDacl object.

bool AddDeniedAce(  
    const CSid& rSid,
    ACCESS_MASK AccessMask,
    BYTE AceFlags = 0) throw(...);

bool AddDeniedAce(
    const CSid& rSid,
    ACCESS_MASK AccessMask,
    BYTE AceFlags,
    const GUID* pObjectType,
    const GUID* pInheritedObjectType) throw(...);

Parameters

rSid
A CSid object.

AccessMask
Specifies the mask of access rights to be denied for the specified CSid object.

AceFlags
A set of bit flags that control ACE inheritance. Defaults to 0 in the first form of the method.

pObjectType
The object type.

pInheritedObjectType
The inherited object type.

Return Value

Returns TRUE if the ACE is added to the CDacl object, FALSE on failure.

Remarks

A CDacl object contains zero or more ACEs (access-control entries) that identify the users and groups who can access the object. This method adds an ACE that denies access to the CDacl object.

See ACE_HEADER for a description of the various flags which can be set in the AceFlags parameter.

CDacl::CDacl

The constructor.

CDacl (const ACL& rhs) throw(...);
CDacl () throw();

Parameters

rhs
An existing ACL (access-control list) structure.

Remarks

The CDacl object can be optionally created using an existing ACL structure. It is important to note that only a DACL (discretionary access-control list), and not a SACL (system access-control list), should be passed as this parameter. In debug builds, passing a SACL will cause an ASSERT. In release builds, passing a SACL will cause the ACEs (access-control entries) in the ACL to be ignored, and no error will occur.

CDacl::~CDacl

The destructor.

~CDacl () throw();

Remarks

The destructor frees any resources acquired by the object, including all ACEs (access-control entries) using CDacl::RemoveAllAces.

CDacl::GetAceCount

Returns the number of ACEs (access-control entries) in the CDacl object.

UINT GetAceCount() const throw();

Return Value

Returns the number of ACEs contained in the CDacl object.

CDacl::operator =

Assignment operator.

CDacl& operator= (const ACL& rhs) throw(...);

Parameters

rhs
The ACL (access-control list) to assign to the existing object.

Return Value

Returns a reference to the updated CDacl object.

Remarks

You should ensure that you only pass a DACL (discretionary access-control list) to this function. Passing a SACL (system access-control list) to this function will cause an ASSERT in debug builds but will cause no error in release builds.

CDacl::RemoveAce

Removes a specific ACE (access-control entry) from the CDacl object.

void RemoveAce(UINT nIndex) throw();

Parameters

nIndex
Index to the ACE entry to remove.

Remarks

This method is derived from CAtlArray::RemoveAt.

CDacl::RemoveAllAces

Removes all of the ACEs (access-control entries) contained in the CDacl object.

void RemoveAllAces() throw();

Remarks

Removes every ACE (access-control entry) structure (if any) in the CDacl object.

See Also

Security Sample
CAcl Class
ACLs
ACEs
Class Overview
Security Global Functions