Native Wifi API Permissions

A Native Wifi API call may fail with when a caller does not have adequate permissions to perform the requested operation.

Permissions are stored in a discretionary access control lists (DACL) associated with a WLAN_SECURABLE_OBJECT. For more information about DACLs and securable objects, see How DACLs Control Access to an Object.

The following table shows the Native Wifi functions that use securable objects to determine if the caller has sufficient permissions to perform the requested operation. It also shows the securable objects used by each function.

Function Securable object
WlanGetFilterList, WlanSetFilterList
  • wlan_secure_deny_list
  • wlan_secure_permit_list
  • wlan_secure_ihv_control
WlanQueryAutoConfigParameter, WlanSetAutoConfigParameter
  • wlan_secure_show_denied
WlanQueryInterface, WlanSetInterface
  • wlan_secure_ac_enabled
  • wlan_secure_bc_scan_enabled
  • wlan_secure_bss_type
  • wlan_secure_current_operation_mode
  • wlan_secure_interface_properties
  • wlan_secure_media_streaming_mode_enabled
  • wlan_secure_add_new_all_user_profiles
  • wlan_secure_add_new_per_user_profiles
WlanSetProfileList, WlanSetProfilePosition
  • wlan_secure_all_user_profiles_order


Before one of the above-named functions completes its operation, the function retrieves the DACL stored in the appropriate securable object. The function then checks the DACL to see if the caller has sufficient permissions. The WlanGet* and WlanQuery* functions require that the DACL contains an access control entry (ACE) that grants the access token of the calling thread WLAN_READ_ACCESS to the function. The WlanSet* functions require an ACE that grants the access token of the calling thread WLAN_WRITE_ACCESS. If the caller does not have sufficient permissions, the function call fails with the error ERROR_ACCESS_DENIED.

Each securable object has a DACL associated with it by default. The default permissions stored in the DACL can be changed using the WlanSetSecuritySettings function. To determine the effective user rights required to perform an operation on a particular system, call WlanGetSecuritySettings.

All-user profiles have additional permissions associated with the profile itself. The permissions on an all-user profile are established when the profile is created or modified using WlanSetProfile or WlanSaveTemporaryProfile. The strAllUserProfileSecurity parameter specifies the required permissions for modifying a profile, deleting a profile, or connecting to a network using a profile. Deleting or modifying a profile requires WLAN_WRITE_ACCESS permission. Connecting to a network using a profile requires WLAN_EXECUTE_ACCESS permission.

**Windows XP with SP3 and Wireless LAN API for Windows XP with SP2:  ** The WlanGetSecuritySettings and WlanSetSecuritySettings functions are not supported. The strAllUserProfileSecurity parameter is not used.

How DACLs Control Access to an Object