2.5.3.4.4 ComputeInheritedACLfromParent

This subroutine copies the ACEs from an ACL that are marked as inheritable. These ACEs are assembled into a new ACL that is returned.

Parameters

  • ACL: An ACL that contains the parent's ACEs from which to compute the inherited ACL.

  • IsContainerObject: TRUE if the object is a container; otherwise, FALSE.

  • ObjectTypes: An array of GUIDs for the object type being created.

Returns

  • The computed ACL that also includes the inherited ACEs.

     // Computes the inheritable and inherited ACEs to propagate to the new object
     // from the inheritable ACEs in the parent container object
      
     Initialize ExplicitACL to Empty ACL
      
     FOR each ACE in ACL DO
      
         IF ACE.AceFlags contains INHERIT_ONLY_ACE 
         THEN
             CONTINUE
         ENDIF
      
         IF(((ACE.AceFlags contains CONTAINER_INHERIT_ACE) AND
           (IsContainerObject = TRUE))OR
           ((ACE.AceFlags contains OBJECT_INHERIT_ACE) AND
           (IsContainerObject = FALSE)))
         THEN
      
             CASE ACE.Type OF
      
                 ACCESS_ALLOWED_ACE_TYPE:
                 ACCESS_DENIED_ACE_TYPE:
                     Create empty NewACE
                     Copy ACE to NewACE
                     Clear NewACE.AceFlags –- no flags set
                     NewACE.AceFlags = INHERITED_ACE
                     Append NewACE to ExplicitACL
      
                 ACCESS_ALLOWED_OBJECT_ACE_TYPE:
                 ACCESS_DENIED_OBJECT_ACE_TYPE:
                     IF (ObjectTypes contains ACE.ObjectGUID) THEN
                         Create empty NewACE
                         Copy ACE to NewACE
                         Clear NewACE.AceFlags –- no flags set
                         NewACE.AceFlags = INHERITED_ACE
                         Append NewACE to ExplicitACL
                     ENDIF
             ENDCASE
         ENDIF
     END FOR
      
     Initialize InheritableACL to Empty ACL
      
     IF (IsContainerObject = TRUE) THEN
      
         FOR each ACE in ACL DO
             IF ACE.AceFlags does not contain NO_PROPAGATE_INHERIT_ACE THEN
                 IF((ACE.AceFlags contains CONTAINER_INHERIT_ACE) OR
                   (ACE.AceFlags contains OBJECT_INHERIT_ACE))
                 THEN
                     Set NewACE to ACE
                     Add INHERITED_ACE to NewACE.AceFlags
                     Add INHERIT_ONLY_ACE to NewACE.AceFlags
                     Append NewACE to InheritableACL
                 ENDIF
             ENDIF
         END FOR
     ENDIF
      
     RETURN concatenation of ExplicitACL and InheritableACL
     // END  ComputeInheritedACLFromParent
      
    

There are seven flags that can appear in an ACE. Of the seven flags, the following pertain to inheritance.

  • CI: CONTAINER_INHERIT_ACE

  • OI: OBJECT_INHERIT_ACE

  • NP: NO_PROPAGATE_INHERIT_ACE

  • IO: INHERIT_ONLY_ACE

  • ID: INHERITED_ACE

IO and ID do not play a part when it comes to making decisions about inheritance. The ID flag is added to any ACE that is inherited to indicate that it was inherited. The IO flag is used to indicate that an ACE is not effective for the child that inherits the ACE. An ACE that has the IO flag can be inherited, but the decision is based on other flags, if present.

The following table summarizes the inherited ACE flags for the child container and child leaf (non-container) object based on the parent ACE flags.

Parent ACE flags

Child container object

Child leaf object

No Flags, IO

No Inheritance

No Inheritance

OI

IO,OI

Inherited, No flags

OI,NP

No Inheritance

Inherited, No flags

CI

CI

No Inheritance

CI,NP

Inherited, No flags

No Inheritance

CI,OI

IO,CI,OI

Inherited, No flags

CI,OI,NP

Inherited, No flags

Inherited, No flags

For the cases in which a container inherits an ACE that is both effective on the container and inheritable by its descendents, the container can inherit two ACEs. This occurs when an inheritable ACE contains generic information. The container inherits an ACE with an additional IO flag with generic information and an effective-only ACE in which the generic information has been mapped.