AddAccessAllowedObjectAce Function (SecurityBaseAPI)

AddAccessAllowedObjectAce Function

This function adds an access-allowed Object Access Control List (ACL) entry (ACE) to the specified ACL.

Syntax

BOOL AddAccessAllowedObjectAce(
  [in, out] PACL  pAcl,
  [in]      DWORD dwRevision,
  [in]      DWORD AceFlags,
  [in]      ACCESS_MASK AccessMask,
  [in]      PSID  pSid,
  [in]      const GUID *pObjectType,
  [in]      const GUID *pInheritedObjectType,
  [out]     LPBOOL pfDefaulted
);

Parameters

Parameter	Description
`pAcl`	A pointer to the ACL to which the ACE will be added. This is a pointer to an ACL structure.
`dwRevision`	The revision level of the ACL. This must be either ACL_REVISION or ACL_REVISION_DS.
`AceFlags`	A set of flags that control the inheritance of the ACE. This can be zero or a combination of the ACE_HEADER structure's AceFlags member values.
`AccessMask`	The access mask that specifies the access rights granted by the ACE.
`pSid`	A pointer to a security identifier (SID) that identifies the trustee to whom the ACE grants access.
`pObjectType`	A pointer to a GUID that identifies the type of object to which the ACE applies. If this ACE does not apply to a specific object type, this parameter must be NULL.
`pInheritedObjectType`	A pointer to a GUID that identifies the type of child object to which the ACE should be inherited. If this ACE does not apply to a specific inherited object type, this parameter must be NULL.
`pfDefaulted`	A pointer to a boolean value that receives a value indicating whether the ACE was inherited.

Return Value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

TRUE: The ACE was successfully added to the ACL.

FALSE: The ACE could not be added.

Remarks

The AddAccessAllowedObjectAce function adds an ACE to the end of the ACL specified by pAcl. If the ACL does not have enough space to accommodate the new ACE, the ACL is reallocated.

The pObjectType and pInheritedObjectType parameters are used to specify the GUIDs for object-specific ACEs. For example, a directory object might have a GUID for the container object type and another GUID for the file object type.

Requirements

Attribute	Details
Minimum supported client	Windows Vista [desktop apps only]
Minimum supported server	Windows Server 2008 [desktop apps only]
Header	`securitybaseapi.h` (include `windows.h`)
Library	`Advapi32.lib`
DLL	`Advapi32.dll`

Microsoft Learn