Low-level Security Descriptor Creation
Low-level access control provides a set of functions for creating a security descriptor and getting and setting the components of a security descriptor. The low-level functions for initializing and setting the components of a security descriptor work only with absolute-format security descriptors. The low-level functions for getting the components of a security descriptor work with both absolute and self-relative security descriptors.
The InitializeSecurityDescriptor function initializes a SECURITY_DESCRIPTOR buffer. The initialized security descriptor is in absolute format and has no owner, primary group, discretionary access control list (DACL), or system access control list (SACL). You can use the following low-level functions to get or set specific components of a specified security descriptor.
| Function | Description |
|---|---|
| GetSecurityDescriptorControl | Retrieves revision and control information from a security descriptor. |
| GetSecurityDescriptorDacl | Retrieves the DACL from a security descriptor. |
| GetSecurityDescriptorGroup | Retrieves the primary group security identifier (SID) from a security descriptor. |
| GetSecurityDescriptorLength | Returns the length of a security descriptor. |
| GetSecurityDescriptorOwner | Retrieves the owner SID from a security descriptor. |
| GetSecurityDescriptorSacl | Retrieves the SACL from a security descriptor. |
| SetSecurityDescriptorDacl | Puts a DACL into a security descriptor, superseding any existing DACL. |
| SetSecurityDescriptorGroup | Sets the primary group SID of a security descriptor. |
| SetSecurityDescriptorOwner | Sets the owner SID of a security descriptor. |
| SetSecurityDescriptorSacl | Puts a SACL into a security descriptor, superseding any existing SACL. |
To check the revision level and structural integrity of a security descriptor, call the IsValidSecurityDescriptor function.