2.5.3.4.1 CreateSecurityDescriptor

msdn link

This is the top-level routine that assembles the contributions from the parent security descriptor and the creator descriptor and possibly the default DACL from the token.  This is fairly high-level, and relies primarily upon the subroutine ComputeACL, specified in section 2.5.3.4.2.

Parameters

• ParentDescriptor: Security descriptor for the parent (container) object of the new object. If the object has no parent, this parameter is null.

• CreatorDescriptor: Security descriptor for the new object provided by the creator of the object. Caller can pass null.

• IsContainerObject: BOOLEAN: TRUE when the object is a container; otherwise, FALSE.

• ObjectTypes: An array of pointers to GUID structures that identify the object types or classes of the object associated with NewDescriptor (the return value). For Active Directory objects, this array contains pointers to the class GUIDs of the object's structural class and all attached auxiliary classes. If the object for which this descriptor is being created does not have a GUID, this field MUST be set to null.

• AutoInheritFlags: A set of bit flags that control how access control entries (ACEs) are inherited from ParentDescriptor. This parameter can be a combination of the following values:

  • DACL_AUTO_INHERIT: If set, inheritable ACEs from the parent security descriptor DACL are merged with the explicit ACEs in the CreatorDescriptor.

  • SACL_AUTO_INHERIT: If set, inheritable ACEs from the parent security descriptor SACL are merged with the explicit ACEs in the CreatorDescriptor.

  • DEFAULT_DESCRIPTOR_FOR_OBJECT: Selects the CreatorDescriptor as the default security descriptor provided that no object type specific ACEs are inherited from the parent. If such ACEs do get inherited, CreatorDescriptor is ignored.

  • DEFAULT_OWNER_FROM_PARENT: Relevant only when the owner field is not specified in CreatorDescriptor. If this flag is set, the owner field in NewDescriptor is set to the owner of ParentDescriptor. If not set, the owner from the token is selected.

  • DEFAULT_GROUP_FROM_PARENT: Relevant only when the primary group field is not specified in CreatorDescriptor. If this flag is set, the primary group of NewDescriptor is set to the primary group of ParentDescriptor. If not set, the default group from the token is selected.

• Token: Authorization context supplied that contains the ownership information as well as the default DACL if the default DACL is necessary.

• GenericMapping: Mapping of generic permissions to resource manager-specific permissions supplied by the caller.

Returns

• NewDescriptor: Output security descriptor for the object computed by the algorithm.

   // Step 1:Compute the Owner field. If there is no specified owner, 
   // then determine an appropriate owner.
   IF CreatorDescriptor.Owner is NULL THEN
    
       IF AutoInheritFlags contains DEFAULT_OWNER_FROM_PARENT THEN
           Set NewDescriptor.Owner to ParentDescriptor.Owner
       ELSE
           Set NewDescriptor.Owner to Token.SIDs[Token.OwnerIndex]
       ENDIF
    
   ELSE
       Set NewDescriptor.Owner to CreatorDescriptor.Owner
   ENDIF
    
   // Step 2:Compute the Group field. If there is no specified groups,
   // then determine the appropriate group.
    
   IF CreatorDescriptor.Group is NULL THEN
    
       IF AutoInheritFlags contains DEFAULT_GROUP_FROM_PARENT THEN
           Set NewDescriptor.Group to ParentDescriptor.Group
       ELSE
           Set NewDescriptor.Group to Token.SIDs[Token.PrimaryGroup]
       ENDIF
    
   ELSE
       Set NewDescriptor.Group to CreatorDescriptor.Group
   ENDIF
    
   // Step 3:Compute the DACL
    
   CALL ComputeACL WITH
         ComputeType set to COMPUTE_DACL, 
         ParentACL set to ParentDescriptor.DACL, 
         AuthoInheritFlags set to AutoInheritFlags,
         ParentControl set to ParentDescriptor.Control,
         CreatorACL set to CreatorDescriptor.DACL,
         CreatorControl set to CreatorDescriptor.Control
         IsContainerObject set to IsContainerObject,
         ObjectTypes set to ObjectTypes, 
         GenericMapping set to GenericMapping,
         Owner set to NewDescriptor.Owner, 
         Group set to NewDescriptor.Group, 
         Token set to Token
   RETURNING NewDACL, NewControl
    
   Set NewDescriptor.DACL to NewDACL
   Set NewDescriptor.Control to NewControl
    
   // Step 4:Compute the SACL
    
   CALL ComputeACL WITH
    
         ComputeType set to COMPUTE_SACL,
         ParentACL set to ParentDescriptor.SACL,
         AutoInheritFlags set to AutoInheritFlags,
         ParentControl set to ParentDescriptor.Control,
         CreatorACL set to CreatorDescriptor.SACL,
         CreatorControl set to CreatorDescriptor.Control,
         IsContainerObject set to IsContainerObject,
         ObjectTypes set to ObjectTypes,
         GenericMapping set to GenericMapping,
         Owner set to NewDescriptor.Owner,
         Group set to NewDescriptor.Group,
         Token set to Token
   RETURNING NewSACL, NewControl
    
   Set NewDescriptor.SACL to NewSACL
   Set NewDescriptor.Control to (NewDescriptor.Control OR NewControl)
    
   RETURN NewDescriptor
   // END CreateSecurityDescriptor