Interface ACE
-
- All Known Implementing Classes:
ACE
public interface ACE
An Access Control Entry (ACE) is an element in a security descriptor such as those associated with files and directories. The Windows OS determines which users have the necessary permissions to access objects based on these entries.To fully understand the information exposed by this class a description of the access check algorithm used by Windows is required. The following is a basic description of the algorithm. For a more complete description we recommend reading the section on Access Control in Keith Brown's "The .NET Developer's Guide to Windows Security" (which is also available online).
Direct ACEs are evaluated first in order. The SID of the user performing the operation and the desired access bits are compared to the SID and access mask of each ACE. If the SID matches, the allow/deny flags and access mask are considered. If the ACE is a "deny" ACE and any of the desired access bits match bits in the access mask of the ACE, the whole access check fails. If the ACE is an "allow" ACE and all of the bits in the desired access bits match bits in the access mask of the ACE, the access check is successful. Otherwise, more ACEs are evaluated until all desired access bits (combined) are "allowed". If all of the desired access bits are not "allowed" the then same process is repeated for inherited ACEs.
For example, if user WNET\alice tries to open a file with desired access bits 0x00000003 (FILE_READ_DATA | FILE_WRITE_DATA) and the target file has the following security descriptor ACEs:
Allow WNET\alice 0x001200A9 Direct Allow Administrators 0x001F01FF Inherited Allow SYSTEM 0x001F01FF Inherited
the access check would fail because the direct ACE has an access mask of 0x001200A9 which doesn't have the FILE_WRITE_DATA bit on (bit 0x00000002). Actually, this isn't quite correct. If WNET\alice is in the local Administrators group the access check will succeed because the inherited ACE allows local Administrators both FILE_READ_DATA and FILE_WRITE_DATA access.
-
-
Field Summary
Fields Modifier and Type Field Description static int
DELETE
static int
FILE_APPEND_DATA
static int
FILE_DELETE
static int
FILE_EXECUTE
static int
FILE_READ_ATTRIBUTES
static int
FILE_READ_DATA
static int
FILE_READ_EA
static int
FILE_WRITE_ATTRIBUTES
static int
FILE_WRITE_DATA
static int
FILE_WRITE_EA
static int
FLAGS_CONTAINER_INHERIT
static int
FLAGS_INHERIT_ONLY
static int
FLAGS_INHERITED
static int
FLAGS_NO_PROPAGATE
static int
FLAGS_OBJECT_INHERIT
static int
GENERIC_ALL
static int
GENERIC_EXECUTE
static int
GENERIC_READ
static int
GENERIC_WRITE
static int
READ_CONTROL
static int
SYNCHRONIZE
static int
WRITE_DAC
static int
WRITE_OWNER
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description int
getAccessMask()
Returns the access mask associated with this ACE.String
getApplyToText()
Returns the 'Apply To' text for inheritance of ACEs on directories such as 'This folder, subfolder and files'.int
getFlags()
Returns the flags for this ACE.SID
getSID()
Return the SID associated with this ACE.boolean
isAllow()
Returns true if this ACE is an allow ACE and false if it is a deny ACE.boolean
isInherited()
Returns true if this ACE is an inherited ACE and false if it is a direct ACE.
-
-
-
Field Detail
-
FILE_READ_DATA
static final int FILE_READ_DATA
- See Also:
- Constant Field Values
-
FILE_WRITE_DATA
static final int FILE_WRITE_DATA
- See Also:
- Constant Field Values
-
FILE_APPEND_DATA
static final int FILE_APPEND_DATA
- See Also:
- Constant Field Values
-
FILE_READ_EA
static final int FILE_READ_EA
- See Also:
- Constant Field Values
-
FILE_WRITE_EA
static final int FILE_WRITE_EA
- See Also:
- Constant Field Values
-
FILE_EXECUTE
static final int FILE_EXECUTE
- See Also:
- Constant Field Values
-
FILE_DELETE
static final int FILE_DELETE
- See Also:
- Constant Field Values
-
FILE_READ_ATTRIBUTES
static final int FILE_READ_ATTRIBUTES
- See Also:
- Constant Field Values
-
FILE_WRITE_ATTRIBUTES
static final int FILE_WRITE_ATTRIBUTES
- See Also:
- Constant Field Values
-
DELETE
static final int DELETE
- See Also:
- Constant Field Values
-
READ_CONTROL
static final int READ_CONTROL
- See Also:
- Constant Field Values
-
WRITE_DAC
static final int WRITE_DAC
- See Also:
- Constant Field Values
-
WRITE_OWNER
static final int WRITE_OWNER
- See Also:
- Constant Field Values
-
SYNCHRONIZE
static final int SYNCHRONIZE
- See Also:
- Constant Field Values
-
GENERIC_ALL
static final int GENERIC_ALL
- See Also:
- Constant Field Values
-
GENERIC_EXECUTE
static final int GENERIC_EXECUTE
- See Also:
- Constant Field Values
-
GENERIC_WRITE
static final int GENERIC_WRITE
- See Also:
- Constant Field Values
-
GENERIC_READ
static final int GENERIC_READ
- See Also:
- Constant Field Values
-
FLAGS_OBJECT_INHERIT
static final int FLAGS_OBJECT_INHERIT
- See Also:
- Constant Field Values
-
FLAGS_CONTAINER_INHERIT
static final int FLAGS_CONTAINER_INHERIT
- See Also:
- Constant Field Values
-
FLAGS_NO_PROPAGATE
static final int FLAGS_NO_PROPAGATE
- See Also:
- Constant Field Values
-
FLAGS_INHERIT_ONLY
static final int FLAGS_INHERIT_ONLY
- See Also:
- Constant Field Values
-
FLAGS_INHERITED
static final int FLAGS_INHERITED
- See Also:
- Constant Field Values
-
-
Method Detail
-
getSID
SID getSID()
Return the SID associated with this ACE.- Returns:
- ACE target SID
-
getAccessMask
int getAccessMask()
Returns the access mask associated with this ACE. Use the constants for FILE_READ_DATA, FILE_WRITE_DATA, READ_CONTROL, GENERIC_ALL, etc with bitwise operators to determine which bits of the mask are on or off.- Returns:
- the access mask
-
getApplyToText
String getApplyToText()
Returns the 'Apply To' text for inheritance of ACEs on directories such as 'This folder, subfolder and files'. For files the text is always 'This object only'.- Returns:
- descriptive text for the ACE scope
-
getFlags
int getFlags()
Returns the flags for this ACE. The isInherited() method checks the FLAGS_INHERITED bit in these flags.- Returns:
- the ACE flags
-
isInherited
boolean isInherited()
Returns true if this ACE is an inherited ACE and false if it is a direct ACE.Note: For reasons not fully understood, FLAGS_INHERITED may not be set within all security descriptors even though the ACE was in face inherited. If an inherited ACE is added to a parent the Windows ACL editor will rebuild all children ACEs and set this flag accordingly.
- Returns:
- whether this is an inherited ACE
-
isAllow
boolean isAllow()
Returns true if this ACE is an allow ACE and false if it is a deny ACE.- Returns:
- whether this in an allow ACE
-
-