Location: Symbol Reference > Classes > TJwSecurityDescriptor Class
JWSCL Documentation
ContentsIndexHome
PreviousUpNext
TJwSecurityDescriptor Class
Pascal
TJwSecurityDescriptor = class;

TJwSecurityDescriptor contains information about a security descriptor. It does not hold a pointer to a security descriptor. It is created on demand.

 
Name 
Description 
 
This is the overview for the Create constructor overload. 
 
CreateDefaultByToken creates a default security descriptor. It will contain the same elements as if a securable object (like mutex) is created without a SD.  
 
CreatePrivateObjectSecurity combines a parent and a creator security descriptor into a new security descriptor. For detailed information see MSDN http://msdn2.microsoft.com/en-us/library/aa446581.aspx
 
 
Destroy destroys the instance and its properties if necessary.
Owner will be freed if OwnOwner is true PrimaryGroup will be freed if OwnPrimaryGroup is true DACL will always be freed. The ACEs will be freed if DACL.ownObjects is true. AuditACL/SACL will alway be freed. The ACEs will be freed if DACL.ownObjects is true. 
Name 
Description 
The following tables list the members exposed by TJwSecurityDescriptor. 
The methods of the TJwSecurityDescriptor class are listed here. 
The properties of the TJwSecurityDescriptor class are listed here. 
The events of the TJwSecurityDescriptor class are listed here. 
 
Name 
Description 
 
OnHashCodeMethod sets or gets the stream hash function used by SavetoStream and LoadFromStream to generate a hash value. If the property is nil the hash code in the stream is set to 0 in SaveToStream and an loaded hash value is ignored in LoadFromStream
 
Name 
Description 
 
Assign copies all properties from another SD. It creates new instances of (if not nil) Owner, PrimaryGroup DACL and AuditACL will be cleared and filled with the ACL of the SD aObject. All the aces in the DACL and SACL structures are copied into new instances. The DACL can also be nil if the DACL is a NULL DACL (allows everyone access)
 
 
Create_SA creates a Security Attributes structure and initialises it with the security descriptor of this instance. The SA structure must be freed by Free_SA. The internal SD structure is automatically freed.
This method uses GetMem.
You can set Control or RMControl to modify the resulting control value of the security descriptor block. The values SE_DACL_PRESENT and SE_SACL_PRESENT are always automatically set. SE_RELATIVE is set, if parameter bRelative is true. SE_SACL_PRESENT will be set if property SACL/AuditACL is not nil.
 
 
Create_SA2 does the same as Create_SA, but uses the property InheritHandles to initialize the result.
See Create_SA for more information. 
 
Create_SAEx creates a security attributes structure on the stack. However the internal security descriptor will be created on heap.
The SA structure must be freed by Free_SAEx. The internal SD structure is automatically freed.
You can set Control or RMControl to modify the resulting control value of the security descriptor block. The values SE_DACL_PRESENT and SE_SACL_PRESENT are always automatically set. SE_RELATIVE is set, if parameter bRelative is true. SE_SACL_PRESENT will be set if property SACL/AuditACL is not nil.
 
 
Create_SAEx2 does the same as Create_SAEx, but uses the property InheritHandles to initialize the result.
See Create_SAEx for more information. 
 
This is the overview for the Create_SD method overload. 
 
Free_SA frees a security attribute created by Create_SA.
This method uses FreeMem, so do not use this function with security attributes structure that was created using LocalAlloc, GlobalAlloc or other incompatible functions.
 
 
Free_SAEx frees a security attribute created by Create_SAEx.
This method uses FreeMem, so do not use this function with security attributes structure that was created using LocalAlloc, GlobalAlloc or other incompatible functions.
 
 
Free_SD frees an security descriptor that was allocated by Create_SD. Only use a SD that was created by Create_SD. Free_SD uses FreeMem and TJwSecurityAccessControlList.Free_PACL to free memory. For unknown reasons some winapi calls fails if the the applied memory was allocated with GetMem.
Free_SD does not raise a SM exception. However there can be exception because of pointer problems. Do not edit the memory block manually or even free sub structures (as owner, dacl...)
 
 
This is GetPrivateObjectSecurity, a member of class TJwSecurityDescriptor. 
 
This is the overview for the GetSecurityDescriptorString method overload. 
 
This is GetTextMap, a member of class TJwSecurityDescriptor. 
 
hashCode creates a value out of a buffer with a given size. This pseudo hash function is not intended for production uses and should be replaced by a custom method using property OnHashCodeMethod
 
This is IsEqual, a member of class TJwSecurityDescriptor. 
 
LoadFromStream loads a security descriptor from a stream.
The stream position must be on the first value of the magic header. (see SaveToStream ). If the following values are true the hash value will be checked and an exception EJwsclStreamHashException will be raised if the read hash is not equal to the calculated one. Assigned(OnHashCodeMethod) and (ReadHash > 0) and (CalculatedHash > 0) and (iCHash <> iRHash) A hash comparison will only be done if the hashes are greater than zero.
raises EJwsclStreamHashException will be raised if the hash ist not valid. raises EJwsclInvalidSecurityDescriptor will be raised if... more 
 
ReplaceDescriptorElements replaces the security descriptor elements given in SecurityInformationSet with the ones in SecurityDescriptor.  
 
This is ReplaceOwner, a member of class TJwSecurityDescriptor. 
 
SaveToStream writes a relative security descriptor into a stream. The method uses a magic header to check for position errors in a stream.
  • Bytes | Value
  • 1..5 (5) | SD_MAGIC_HEADER (byte array)
  • 6..9 (4) | SD size (Cardinal)
  • 10..17 (8) | hash value (Int64)
  • 18..18 (1) | hash value in use (byte) true if 255 otherwise false. == SD_HEADER_SIZE
  • 19..sd (size) | security descriptor data
 
 
SetPrivateObjectSecurity combines a parent and a creator security descriptor into a new security descriptor. For detailed information see MSDN http://msdn2.microsoft.com/en-us/library/aa379581.aspx
If parameter Token is not nil and SecurityInformation contains siSaclSecurityInformation you must explicit activate SE_SECURITY_NAME privilege.
 
 
Name 
Description 
 
AuditACL gets the auditing access control list. It returns the internal auditing access control list so do not call Free. If the audit ACL is set, it copies the SACL into a new structure, so the original list is not touched. 
 
Indicates the source of the SACL. If this flag is TRUE, the SACL has been retrieved by some default mechanism. If it is FALSE, the SACL has been explicitly specified by a user. The function stores this value in the SE_SACL_DEFAULTED flag of the SECURITY_DESCRIPTOR_CONTROL structure. If this parameter is not specified, the SE_SACL_DEFAULTED flag is cleared.
(source: http://msdn2.microsoft.com/en-us/library/aa379587.aspx)
The Control flag is only updated in a newly created SD allocated by Create_SD
 
Control defines internal security descriptor controls. Do not make write calls to it. 
 
DACL 
DACL sets or gets the discretionary access control list. The read value is the internal used DACL. So do not free it directly. Instead set the write value to nil. The write value is copied into a new DACL (using Assign) if the property OwnDACL is false otherwise the given DACL instance is used directly (using ":=").
If the write value is nil the internal list is freed and set to nil.
The following code releases an old DACL and copies an existing one into the SD. At the end there are two DACL instances that will contain the... more 
 
DACLGenericRemoved is used by TJwSecureFileObject.GetFileInheritanceSourc to decided whether the DACL's accessmask has been mapped from generic to specific rights. 
 
A flag that indicates the source of the DACL. If this flag is TRUE, the DACL has been retrieved by some default mechanism. If FALSE, the DACL has been explicitly specified by a user. The function stores this value in the SE_DACL_DEFAULTED flag of the SECURITY_DESCRIPTOR_CONTROL structure. If this parameter is not specified, the SE_DACL_DEFAULTED flag is cleared. (source: http://msdn2.microsoft.com/en-us/library/aa379583.aspx);
The Control flag is only updated in a newly created SD allocated by Create_SD
 
This property is useful to determine whether the property DACL should be considered if its value is nil. A nil DACL is considered as "allow everybody". If DACLPresent is true and DACL is nil and any of the Create_SD and Create_SA function is called, the newly created winapi security descriptor will have a NULL DACL and so allow everybody access; otherwise the SD will not have a DACL at all.
This situation is equal to a DACL with an access entry that grants GENERIC_ALL to World SID.
This property is automatically set to true if a DACL was set to... more 
 
InheritanceDACLProtection defines whether the DACL is protected against inheritance flow or not. Use aclpForceUnprotect instead of aclpUnprotected to let flow inheritance. 
 
InheritanceSACLProtection defines whether the SACL is protected against inheritance flow or not. Use aclpForceUnprotect instead of aclpUnprotected to let flow inheritance. 
 
InheritHandles is custom flag that defines whether handles are inherited (true) or not. This property is not used by @ClassName. However some JWSCL methods use it instead of the structure SECURITY_ATTRIBUTES. InheritHandles is used instead of the member bInheritHandle of SECURITY_ATTRIBUTES. In fact it is mapped internally into a SECURITY_ATTRIBUTES structure. 
 
OwnDACL defines whether the DACL is copied into a new instance (true) and freed at the end or points directly to the set DACL
 
Owner sets or gets the owner of the SD. If the property OwnOwner is true and the property is set, the old Owner TJwSecurityId instance will be freed and the new owner will be copied into a new instance. So there will be two instances of this SID and the original instance is not touched and must be freed if necessary. If the property OwnOwner is false, the old Owner TJwSecurityId will not be freed and the new one will directly point to the new SID.
The following code can be used to set a newly created instance.  
 
OwnerInherited defines whether the owner sid is inherited (true) or not (false) Indicates whether the owner information is derived from a default mechanism. If this value is TRUE, it is default information. The function stores this value as the SE_OWNER_DEFAULTED flag in the SECURITY_DESCRIPTOR_CONTROL structure. If this parameter is zero, the SE_OWNER_DEFAULTED flag is cleared. (source: http://msdn2.microsoft.com/en-us/library/aa379585.aspx)
The Control flag is only updated in a newly created SD allocated by Create_SD
 
OwnOwner defines whether the owner SID shall be freed on destruction (true) or not (false) If the property OwnOwner is true and the property Owner is set, the old Owner TJwSecurityId instance will be freed and the new owner will be copied into a new instance. So there will be two instances of this SID and the original instance is not touched and must be freed if necessary.
If the property OwnOwner is false, the old Owner TJwSecurityId will not be freed and the new one will directly point to the new SID.
See Owner for information about how to... more 
 
OwnPrimaryGroup defines whether the group SID shall be freed on destruction (true) or not (false)
If the property OwnPrimaryGroup is true and the property is set, the old Owner TJwSecurityId instance will be freed and the new owner will be copied into a new instance. So there will be two instances of this SID and the original instance is not touched and must be freed if necessary. If the property OwnPrimaryGroup is false, the old Owner TJwSecurityId will not be freed and the new one will directly point to the new SID.
See Owner for information about how to use... more 
 
PrimaryGroup sets or gets the group of the SD. If the property OwnPrimaryGroup is true and the property is set, the old Owner TJwSecurityId instance will be freed and the new owner will be copied into a new instance. So there will be two instances of this SID and the original instance is not touched and must be freed if necessary. If the property OwnPrimaryGroup is false, the old Owner TJwSecurityId will not be freed and the new one will directly point to the new SID.
See Owner for information about how to use this property. 
 
PrimaryGroupInherited defines whethere the group sid is inherited (true) or not (false)
Indicates whether the primary group information was derived from a default mechanism. If this value is TRUE, it is default information, and the function stores this value as the SE_GROUP_DEFAULTED flag in the SECURITY_DESCRIPTOR_CONTROL structure. If this parameter is zero, the SE_GROUP_DEFAULTED flag is cleared. (source: http://msdn2.microsoft.com/en-us/library/aa379584.aspx);
The Control flag is only updated in a newly created SD allocated by Create_SD
 
RMControl sets or gets the resource managercontrol values of the sd. Do not change them if you do not know what it means. For more information see MSDN. This value is ignored in current version. 
 
SACL 
SACL is the same as the property AuditACL. If the audit ACL is set, it copies the SACL into a new structure, so the original list is not touched. 
 
Tag 
This is Tag, a member of class TJwSecurityDescriptor. 
 
Text 
Text returns a text that descripes the security descriptor in a human readable format. 
Copyright (c) 2010. All rights reserved.
This help was created by Doc-O-Matic sponsored by toolsfactory software inc.
What do you think about this topic? Send feedback!