Windows NT 4.0 ACL and ACE Functions

Windows NT versions 4.0 and later support a set of functions for creating an access-control list (ACL) or for modifying the access-control entries (ACEs) in an existing ACL. Applications designed for Windows NT version 5.0 and later should use the functions described in Modifying an Object's ACLs.

The SetEntriesInAcl function creates a new ACL. SetEntriesInAcl can specify a completely new set of ACEs for the ACL, or it can merge new ACEs with the ACEs of an existing ACL. SetEntriesInAcl uses an array of EXPLICIT_ACCESS structures to specify the information for the new ACEs. Each EXPLICIT_ACCESS structure contains information that describes a single ACE. This information includes the access rights, the type of ACE, the flags that control ACE inheritance, and a TRUSTEE structure that identifies the trustee.

    To add a new ACE to an existing ACL

1. Use the GetSecurityInfo or GetNamedSecurityInfo function to get the existing DACL or SACL from an object's security descriptor.
2. Use the BuildExplicitAccessWithName function to fill EXPLICIT_ACCESS structures with the information needed to describe each new ACE.
3. Call SetEntriesInAcl, specifying the existing ACL and the array of EXPLICIT_ACCESS structures. SetEntriesInAcl allocates and initializes the ACL and its ACEs.
4. Call the SetSecurityInfo or SetNamedSecurityInfo function to attach the new ACL to the object's security descriptor.

For an example that uses the Windows NT 4.0 functions to merge a new ACE into an existing ACL, see Using Windows NT 4.0 Access Control.

If the caller specifies an existing ACL, SetEntriesInAcl merges the new ACE information with the existing ACEs in the ACL. Consider the case, for example, in which the existing ACL grants access to a specified trustee and an EXPLICIT_ACCESS structure denies access to the same trustee. In this case, SetEntriesInAcl adds a new access-denied ACE for the trustee and deletes or modifies the existing access-allowed ACE for the trustee.