Low-Level Access Control Functions
You can use the following low-level functions to work with ACLs and ACEs. New Win32-based applications should use the high-level access-control functions for this purpose. For more information about the high-level functions, see Working With ACLs and ACEs.
To create an ACL using these low-level functions, allocate a buffer for the ACL and then initialize it by calling the InitializeAcl function. To add ACEs to the end of a DACL, use the AddAccessAllowedAce and AddAccessDeniedAce functions. The AddAuditAccessAce function adds an ACE to the end of a SACL. You can use the AddAce function to add one or more ACEs at a specified position in an ACL. The DeleteAce function removes an ACE from a specified position in an ACL. The GetAce function retrieves an ACE from a specified position in an ACL. The FindFirstFreeAce function retrieves a pointer to the first free byte in an ACL.
To modify an existing ACL in an object's security descriptor, use the GetSecurityDescriptorDacl or GetSecurityDescriptorSacl function to get the existing ACL. You can use the GetAce function to copy ACEs from the existing ACL. After allocating and initializing a new ACL, use functions such as AddAccessAllowedAce and AddAce to add ACEs to it. When you have finished building the new ACL, use the SetSecurityDescriptorDacl or SetSecurityDescriptorSacl function to add the new ACL to the object's security descriptor.