Low-level ACL and ACE Functions

To create an access control list (ACL) by using the low-level functions, allocate a buffer for the ACL and then initialize it by calling the InitializeAcl function. To add access control entries (ACEs) to the end of a discretionary access control list (DACL), use the AddAccessAllowedAce and AddAccessDeniedAce functions. The AddAuditAccessAce function adds an ACE to the end of a system access control list (SACL). You can use the AddAce function to add one or more ACEs at a specified position in an ACL. The AddAce function also allows you to add an inheritable ACE to an ACL. The DeleteAce function removes an ACE from a specified position in an ACL. The GetAce function retrieves an ACE from a specified position in an ACL. The FindFirstFreeAce function retrieves a pointer to the first free byte in an ACL.

To modify an existing ACL in an object's security descriptor, use the GetSecurityDescriptorDacl or GetSecurityDescriptorSacl function to get the existing ACL. You can use the GetAce function to copy ACEs from the existing ACL. After allocating and initializing a new ACL, use functions such as AddAccessAllowedAce and AddAce to add ACEs to it. When you have finished building the new ACL, use the SetSecurityDescriptorDacl or SetSecurityDescriptorSacl function to add the new ACL to the object's security descriptor.

You can use the AddAccessAllowedObjectAce, AddAccessDeniedObjectAce, or AddAuditAccessObjectAce functions to add object-specific ACEs to the end of an ACL.