2.5.3.1.3 GetScopedPolicySid

A support function, GetScopedPolicySid, locates the first non-inherit-only scoped policy ACE in the ACL passed in, if one is present, and returns the SID it contains. If one is not present, then NULL is returned.

Only the SID of the first non-inherit-only scoped policy ACE is returned and enforced, but inherit-only scoped policy ACEs are allowed to be present in the ACL, because they might be inherited and applied to child objects.

 SID
 GetScopedPolicySid(
     ACL Sacl)
     --
     -- On entry
     --    Sacl is the Sacl from the security descriptor used for Access Check.
     --
  
     FOR EACH ACE in Sacl DO
         IF ACE.Type is SYSTEM_SCOPED_POLICY_ID_ACE THEN
             IF ACE.AceFlags does not contain INHERIT_ONLY_ACE flag THEN
                 Return ACE.Sid
         END IF
     END FOR
  
     Return NULL
  
 END-SUBROUTINE