To access an object's SACLThe ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread.
To access an object's SACLIf you access a SACL using the GetNamedSecurityInfoEx or SetNamedSecurityInfoEx functions, enable the SE_SECURITY_NAME privilege and the function internally requests the access right.
The ACCESS_SYSTEM_SECURITY access right is not valid in a DACL because DACLs do not control access to a SACL. However, you can use this access right in a SACL to audit attempts to use the access right.
In the provider-independent access mask format, the ACTRL_SYSTEM_ACCESS access right is equivalent to ACCESS_SYSTEM_SECURITY.