The SeAssignSecurity routine builds a self-relative security descriptor for a new object, given the security descriptor of its parent directory and any originally requested security for the object.
NTSTATUS SeAssignSecurity( PSECURITY_DESCRIPTOR ParentDescriptor, PSECURITY_DESCRIPTOR ExplicitDescriptor, PSECURITY_DESCRIPTOR *NewDescriptor, BOOLEAN IsDirectoryObject, PSECURITY_SUBJECT_CONTEXT SubjectContext, PGENERIC_MAPPING GenericMapping, POOL_TYPE PoolType );
Pointer to a buffer containing the SECURITY_DESCRIPTOR for the parent directory, if any, containing the new object being created. ParentDescriptor can be NULL, or have a NULL system access control list (SACL) or a NULL discretionary access control list (DACL).
Pointer to a buffer containing the SECURITY_DESCRIPTOR specified by the user that is applied to the new object. ExplicitDescriptor can be NULL, or have a NULL SACL or a NULL DACL.
Receives a pointer to the returned SECURITY_DESCRIPTOR. SeAssignSecurity allocates the buffer from the paged memory pool.
Specifies whether the new object is a directory object. TRUE indicates the object contains other objects.
Pointer to a buffer containing the security context of the subject creating the object. This is used to retrieve default security information for the new object, such as the default owner, the primary group, and discretionary access control.
Pointer to the GENERIC_MAPPING structure that describes the mapping from each generic right to the implied nongeneric rights.
This parameter is unused. The buffer to hold the new security descriptor is always allocated from paged pool.
SeAssignSecurity can return one of the following:
||The assignment was successful.|
||The SID provided for the owner of the target security descriptor is not one the caller is authorized to assign as the owner of an object.|
||The caller does not have the privilege (SeSecurityPrivilege) necessary to explicitly assign the specified system ACL.|
The final security descriptor returned to the caller may contain a mix of information, some explicitly provided from the new object's parent.
SeAssignSecurity assumes privilege checking has not been performed. This routine performs privilege checking.
The assignment of system and discretionary ACLs is governed by the logic illustrated in the following table:
|Explicit (nondefault) ACL specified||Explicit default ACL specified||No ACL specified|
|Inheritable ACL from parent||Assign specified ACL||Assign inherited ACL||Assign inherited ACL|
|No inheritable ACL from parent||Assign specified ACL||Assign default ACL||Assign no ACL|
An explicitly specified ACL, whether a default ACL or not, can be empty or null. The caller must be a kernel-mode client or be appropriately privileged to explicitly assign a default or nondefault system ACL.
The assignment of the new object's owner and group is governed by the following logic:
- If the passed security descriptor includes an owner, it is assigned as the new object's owner. Otherwise, the caller's token is considered to determine the owner. Within the token, the default owner, if any, is assigned. Otherwise, the caller's user ID is assigned.
- If the passed security descriptor includes a group, it is assigned as the new object's group. Otherwise, the caller's token is considered to determine the group. Within the token, the default group, if any, is assigned. Otherwise, the caller's primary group ID is assigned.
|Minimum supported client||Available in Windows 2000 and later versions of Windows.|
|Header||wdm.h (include Wdm.h, Ntddk.h, Ntifs.h)|
|DDI compliance rules||PowerIrpDDis, HwStorPortProhibitedDDIs|