2.5.3.4.7 PostProcessACL
The purpose of this subroutine is to process the ACL and make it concrete by replacing certain macro SIDs with the actual SIDs for the principals involved, and to translate from generic access bit flags to the actual object-specific access flags. The caller specifies a filter to apply, namely whether only inherited ACEs, only explicit ACEs, or all ACEs will be copied.
Parameters
ACL: ACL on which to substitute SIDs.
CopyFilter: Enumeration of the following filters for post-processing the ACL: CopyAllAces, CopyInheritedAces, CopyExplicitAces.
Owner: Owner to use in substituting the CreatorOwner SID.
Group: Group to use in substituting the CreatorGroup SID.
GenericMapping: Mapping of generic permissions to resource manager-specific permissions supplied by the caller.
Returns
The computed ACL with the SID substitutions performed.
// Substitute CreatorOwner and CreatorGroup SIDs and do GenericMapping in ACL Initialize NewACL to Empty ACL FOR each ACE in ACL DO // Determine if this ACE passes the filter to be copied to the new ACL SET CopyThisAce = FALSE CASE CopyFilter OF CopyAllAces: BEGIN SET CopyThisAce = TRUE END CopyInheritedAces: BEGIN IF (ACE.AceFlags contains INHERITED_ACE) THEN SET CopyThisAce = TRUE ENDIF END CopyExplicitAces: BEGIN IF (ACE.AceFlags does not contain INHERITED_ACE) THEN SET CopyThisAce = TRUE ENDIF END ENDCASE Set NewACE to ACE IF (CopyThisAce) THEN CASE ACE.Sid OF CREATOR_OWNER: NewACE.Sid = Owner CREATOR_GROUP: NewACE.Sid = Group ENDCASE IF (ACE.Mask contains GENERIC_READ) THEN Add GenericMapping.GenericRead to NewACE.Mask ENDIF IF (ACE.Mask contains GENERIC_WRITE) THEN Add GenericMapping.GenericWrite to NewACE.Mask ENDIF IF (ACE.Mask contains GENERIC_EXECUTE) THEN Add GenericMapping.GenericExecute to NewACE.Mask ENDIF Append NewACE to NewACL ENDIF END FOR RETURN NewACL // END PostProcessACL