Share via

Inheritance Flags

  • Article

The header for an ACE contains a set of inheritance flags that control how the ACE is inherited and how the ACE affects a child object that inherits it. Table 12.11 lists the inheritance flags.

Table   12.11 Inheritance Flags

Flag

Meaning

INHERITED_ACE

Windows   2000 : The ACE was inherited from a parent object's DACL or SACL.
This flag is not set in an explicit ACE—an ACE defined directly on the object.

INHERIT_ONLY_ACE

Indicates that this is an inherit-only ACE. The ACE is ignored during an access check but can be propagated to child objects.
If this flag is not set, the ACE is an effective ACE—an ACE that is processed during an access check.
Both effective and inherit-only ACEs can be inherited. Whether an ACE is inherited depends on the state of the flags for OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE.

CONTAINER_INHERIT_ACE

Container objects inherit this ACE as an effective ACE. When the ACE is inherited by a container object, the operating system clears the flag for INHERIT_ONLY_ACE.

OBJECT_INHERIT_ACE

Non-container objects inherit this ACE as an effective ACE. When the ACE is inherited by a non-container object, the operating system clears the flag for INHERIT_ONLY_ACE.
Container objects also inherit this ACE but only for the purpose of inheritance. When the ACE is inherited by a container object, the operating system sets the flag for INHERIT_ONLY_ACE.

NO_PROPAGATE_INHERIT_ACE

If a child object inherits an ACE where this flag is set, the operating system clears the flags for OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE. This prevents the ACE from being inherited by subsequent generations of objects.