Absolute and Self-Relative Security Descriptors
A security descriptor can be in either absolute or self-relative format. In absolute format, a security descriptor contains pointers to its information, not the information itself. In self-relative format, a security descriptor stores a SECURITY_DESCRIPTOR structure and associated security information in a contiguous block of memory. You can use the MakeSelfRelativeSD and MakeAbsoluteSD functions for converting between these two formats.
The absolute format is useful when default settings for the owner, group, and discretionary ACL are available. In this case, you can simply call the InitializeSecurityDescriptor function to initialize a SECURITY_DESCRIPTOR structure and then assign pointers to preexisting components, such as SIDs and ACLs.
In self-relative format, a security descriptor always begins with a SECURITY_DESCRIPTOR structure, but the other components of the security descriptor can follow the structure in any order. Instead of using memory addresses, the security descriptor's components are identified by offsets from the beginning of the descriptor. This format is useful when a security descriptor must be stored on disk, transmitted by means of a communications protocol, or copied in memory.
All Win32 functions that return a security descriptor do so using the self-relative format. Security descriptors passed back to the operating system can be in either self-relative or absolute form, depending on the situation.
A server that copies secured objects to various media can use the MakeSelfRelativeSD function to create a self-relative security descriptor from an absolute security descriptor. The MakeAbsoluteSD function can create an absolute security descriptor from a self-relative security descriptor.