Windows Documentation / Win32 API / API Reference / WinNT / ACL Structures

ACL Structures

This section describes the structures related to Access Control Lists (ACLs) in the Windows operating system.

Introduction to ACLs

Access Control Lists (ACLs) are fundamental security components in Windows. They define the permissions that specific users or groups have on securable objects, such as files, directories, registry keys, or processes. Each ACL is composed of a list of Access Control Entries (ACEs), where each ACE specifies the type of access (allow or deny) and the set of permissions granted or denied to a particular Security Identifier (SID).

Understanding ACL structures is crucial for implementing secure applications and managing system access effectively.

Key ACL Structures

ACL Structure

The ACL structure represents an Access Control List. It's a variable-length structure that contains an array of ACE structures.

typedef struct _ACL {
    DWORD  AclRevision;
    DWORD  AclSize;
    DWORD  AceCount;
    DWORD  Aces[];
} ACL;

Members:

  • AclRevision: The revision level of the ACL. Should be ACL_REVISION or ACL_REVISION_DS.
  • AclSize: The size of the ACL structure, in bytes.
  • AceCount: The number of ACEs in the ACL.
  • Aces: An array of ACE structures. The actual size and content of this array depend on the AclSize.

ACE_HEADER Structure

The ACE_HEADER structure is the common header for all types of ACEs. It defines the type and size of the ACE.

typedef struct _ACE_HEADER {
    BYTE  AceType;
    BYTE  AceFlags;
    WORD  AceSize;
} ACE_HEADER;

Members:

  • AceType: The type of ACE. Common values include ACCESS_ALLOWED_ACE_TYPE, ACCESS_DENIED_ACE_TYPE, and SYSTEM_AUDIT_ACE_TYPE.
  • AceFlags: Flags that control the inheritance of the ACE.
  • AceSize: The size of the ACE structure, including the header and the ACE-specific data.

ACCESS_ALLOWED_ACE Structure

This structure represents an ACE that grants specific permissions to a trustee (user or group).

typedef struct _ACCESS_ALLOWED_ACE {
    ACE_HEADER Header;
    DWORD      Mask;
    DWORD      SidStart;
    BYTE       Rights[];
} ACCESS_ALLOWED_ACE;

Members:

  • Header: An ACE_HEADER structure.
  • Mask: A bitmask that specifies the access rights being granted.
  • SidStart: The starting offset of the SID for the trustee.
  • Rights: The trustee's SID.

The ACCESS_DENIED_ACE structure is similar but denies permissions.

SYSTEM_AUDIT_ACE Structure

This structure represents an ACE that specifies whether to audit accesses to an object.

typedef struct _SYSTEM_AUDIT_ACE {
    ACE_HEADER Header;
    DWORD      Mask;
    DWORD      SidStart;
    BYTE       Rights[];
} SYSTEM_AUDIT_ACE;

Members:

Similar to ACCESS_ALLOWED_ACE, but used for auditing.

TOKEN_USER Structure

While not directly an ACL structure, TOKEN_USER is often used in conjunction with ACLs as it contains the SID of a user present in an access token.

typedef struct _TOKEN_USER {
    SID_AND_ATTRIBUTES User;
} TOKEN_USER;

Working with ACLs

Developers can interact with ACLs using various Win32 API functions, including:

  • GetSecurityInfo: Retrieves security descriptor information for an object.
  • SetSecurityInfo: Sets security descriptor information for an object.
  • AddAccessAllowedAce: Adds an access-allowed ACE to an ACL.
  • AddAccessDeniedAce: Adds an access-denied ACE to an ACL.
  • CreateAcl: Initializes a new ACL.
Note: When working with ACLs, it is crucial to handle memory allocation and deallocation carefully, as these structures are often dynamically sized.

Related Topics

Access Control
Access Tokens
Security Descriptors
SID Structures