Low-level Security Descriptor Creation

Low-level access control provides a set of functions for creating a security descriptor and getting and setting the components of a security descriptor. The low-level functions for initializing and setting the components of a security descriptor work only with absolute-format security descriptors. The low-level functions for getting the components of a security descriptor work with both absolute and self-relative security descriptors.

The InitializeSecurityDescriptor function initializes a SECURITY_DESCRIPTOR buffer. The initialized security descriptor is in absolute format and has no owner, primary group, discretionary access control list (DACL), or system access control list (SACL). You can use the following low-level functions to get or set specific components of a specified security descriptor.

Function	Description
GetSecurityDescriptorControl	Retrieves revision and control information from a security descriptor.
GetSecurityDescriptorDacl	Retrieves the DACL from a security descriptor.
GetSecurityDescriptorGroup	Retrieves the primary group security identifier (SID) from a security descriptor.
GetSecurityDescriptorLength	Returns the length of a security descriptor.
GetSecurityDescriptorOwner	Retrieves the owner SID from a security descriptor.
GetSecurityDescriptorSacl	Retrieves the SACL from a security descriptor.
SetSecurityDescriptorDacl	Puts a DACL into a security descriptor, superseding any existing DACL.
SetSecurityDescriptorGroup	Sets the primary group SID of a security descriptor.
SetSecurityDescriptorOwner	Sets the owner SID of a security descriptor.
SetSecurityDescriptorSacl	Puts a SACL into a security descriptor, superseding any existing SACL.

 

To check the revision level and structural integrity of a security descriptor, call the IsValidSecurityDescriptor function.