Getting Information from an ACL

Several functions are provided that retrieve access control information from an access control list (ACL). These include functions for determining the access rights that an ACL grants or audits for a specified trustee. Other functions enable you to extract information about the access control entries (ACEs) in an ACL.

The GetExplicitEntriesFromAcl function retrieves an array of EXPLICIT_ACCESS structures that describe the ACEs in an ACL. This can be useful when copying ACE information from one ACL to another. For example, a call to GetExplicitEntriesFromAcl to get information about the ACEs in one ACL can be followed by passing the returned EXPLICIT_ACCESS structures in a call to the SetEntriesInAcl function to create equivalent ACEs in a new ACL.

The GetEffectiveRightsFromAcl function enables you to determine the effective access rights that a DACL grants to a specified trustee. The trustee's effective access rights are the access rights that a DACL grants to the trustee or to any groups of which the trustee is a member. GetEffectiveRightsFromAcl checks all access-allowed and access-denied ACEs in the specified DACL.

Use the following steps to determine a trustee's access rights to an object

1. Call the GetSecurityInfo or GetNamedSecurityInfo function to get a pointer to an object's DACL.
2. Call the GetEffectiveRightsFromAcl function to retrieve the access rights that the DACL grants to a specified trustee.

The GetAuditedPermissionsFromAcl function enables you to check a SACL to determine the audited access rights for a specified trustee or for any groups of which the trustee is a member. The audited rights indicate the types of access attempts that cause the system to generate an audit record in the security event log. The function returns two access masks: one containing the access rights monitored for failed access attempts, and another containing the access rights monitored for successful access. GetAuditedPermissionsFromAcl checks all system-audit ACEs in a SACL.