Windows NT version 4.0 provides a new group of high-level access control functions for working with access-control lists (ACLs) and security descriptors. These functions make it easier to create new ACLs or to modify existing ACLs.
The SetEntriesInAcl function creates a new ACL. SetEntriesInAcl can specify a completely new set of ACEs for the ACL, or it can merge new ACEs with the ACEs of an existing ACL. SetEntriesInAcl uses an array of EXPLICIT_ACCESS structures to specify the information for the new ACEs. Each EXPLICIT_ACCESS structure contains information that describes a single ACE. This information includes the access rights, the type of ACE, the flags that control ACE inheritance, and a TRUSTEE structure that identifies the trustee.
To add a new ACE to an existing ACL
1.Use the GetSecurityInfo or GetNamedSecurityInfo function to get the existing DACL or SACL from an object's security descriptor.
2.Use the BuildExplicitAccessWithName function to fill EXPLICIT_ACCESS structures with the information needed to describe each new ACE.
3.Call SetEntriesInAcl, specifying the existing ACL and the array of EXPLICIT_ACCESS structures. SetEntriesInAcl allocates and initializes the ACL and its ACEs.
4.Call the SetSecurityInfo or SetNamedSecurityInfo function to attach the new ACL to the object's security descriptor.
For an example that merges a new ACE into an existing ACL, see Allowing Access.
The SetEntriesInAcl function merges the new ACE information with the existing ACEs in the ACL. Consider the case, for example, in which the existing ACL grants access to a specified trustee and an EXPLICIT_ACCESS structure denies access to the same trustee. In this case, SetEntriesInAcl adds a new access-denied ACE for the trustee and deletes or modifies the existing access-allowed ACE for the trustee.
The SetEntriesInAcl function ensures that ACEs are in the correct order in the new ACL. The function positions all access-denied ACEs at the beginning of the ACL's list of ACEs, ahead of any access-allowed ACEs.
The high-level access-control functions use the TRUSTEE structure to identify a trustee. This structure enables you to use a name string or a SID to identify a trustee. If you use a name, the SetEntriesInAcl function performs the tasks of allocating the SID buffers and looking up the SID that corresponds to the account name. There are two helper functions, BuildTrusteeWithSid and BuildTrusteeWithName, that initialize a TRUSTEE structure with a specified SID or name. Three other helper functions, GetTrusteeForm, GetTrusteeName, and GetTrusteeType, retrieve the values of the various members of a TRUSTEE structure.