chsvlib
chsv helper source code

◆ CreateSecurityDescriptor() [1/4]

AutoSecurityDescriptor Chusov::Win32::Security::CreateSecurityDescriptor ( LPCWSTR  pszOwnerName,
LPCWSTR  pszGroupName,
AllowedInputIterator  itAllowedBegin,
AllowedInputIterator  itAllowedEnd,
DeniedInputIterator  itDeniedBegin,
DeniedInputIterator  itDeniedEnd 
)

Allocates and constructs a self-relative security descriptor from its three components: an owner, a group and a discretionary access control list (DACL). The owner and the group are specified by respective principal names with optional domain names, which the principals belong to. The DACL is passed to the function as half-intervals, specified by two pairs of input iterators within two containers of ACCESS_ALLOWED_ACE_INFO objects and of ACCESS_DENIED_ACE_INFO objects, that respectively specify access-allowed and access-denied access control entries (ACE) to be included into the created security descriptor.

Template Parameters
AllowedInputIteratoris a type of an input iterator, specifying a range within a container of access-allowed ACEs.
DeniedInputIteratoris a type of an input iterator, specifying a range within a container of access-denied ACEs.
Parameters
[in]pszOwnerNameis an optional pointer to a zero-terminated wide string specifying a name of a principal to be included into the created security descriptor as its owner. The name can include an optional domain name, which the principal belongs to. A principal name qualified with the corresponding domain name should be specified as "domain_name\user_name". If the domain name is omitted, a security identifier of the principal is sought in the current system domain. If the pszOwnerName is NULL, the created security descriptor does not have an owner.
[in]pszGroupNameis an optional pointer to a zero-terminated wide string specifying a name of a principal, that is associated with a group, to be included into the created security descriptor as its group. The name can include an optional domain name, which the principal belongs to. A principal name qualified with the corresponding domain name should be specified as "domain_name\user_name". If the domain name is omitted, a security identifier of the principal is sought in the current system domain. If the pszGroupName is NULL, the created security descriptor does not have a group.
itAllowedBeginis an iterator specifying an inclusive first border of a range of access-allowed ACEs, which are held within some container. The iterator must be at least an input iterator.
itAllowedEndis an iterator specifying an exclusive second border of a range of access-allowed ACEs, which are held within some container. The iterator must be at least an input iterator.
itDeniedBeginis an iterator specifying an inclusive first border of a range of access-denied ACEs, which are held within some container. The iterator must be at least an input iterator.
itDeniedEndis an iterator specifying an exclusive second border of a range of access-denied ACEs, which are held within some container. The iterator must be at least an input iterator.
Returns
The function returns a smart AutoSecurityDescriptor pointer to the created self-relative security descriptor.

Each pointer to the names, which are zero-terminated wide strings, is optional. A NULL pointer to an owner name causes the function to create a security descriptor without an owner. Consequently, a NULL pointer to a group name causes the function to create security descriptor without a group.

There is no way to create a security descriptor without a DACL, because if both ranges of ACEs, specified by the iterators, are empty, the function assigns an empty (but valid) DACL to the returned security descriptor. Such descriptor will prohibit anyone from accessing the object, which the created security descriptor is assigned to. To create an empty security descriptor use the CreateSecurityDescriptor overloaded function, for which pOwner and pGroup can be retrieved by calling the GetSidByPrincipalName function.

A revision of the created DACL corresponds to ACL_REVISION constant. See InitializeAcl for more detailed information.

A call to the function is equivalent to the following code:

PSECURITY_DWSCRIPTOR pSD = CreateSecurityDescriptor(
pszOwnerName == NULL?NULL:Chusov::Memory::AutoData<PSID>(GetSidByPrincipalName(pszOwnerName)).get(),
pszGroupName == NULL?NULL:Chusov::Memory::AutoData<PSID>(GetSidByPrincipalName(pszGroupName)).get(),
Chusov::Memory::AutoData<PACL>(CreateDACL(itAllowedBegin, itAllowedEnd, itDeniedBegin, itDeniedEnd, ACL_REVISION)).get());
Chusov::Win32::Security::CreateDACL
AutoACL CreateDACL(AllowedInputIterator itAccessAllowedACEsBegin, AllowedInputIterator itAccessAllowedACEsEnd, DeniedInputIterator itAccessDeniedACEsBegin, DeniedInputIterator itAccessDeniedACEsEnd, DWORD dwAclRevision=ACL_REVISION)
Creates a discretionary access control list (DACL) from two sequences of access-allowed and access-de...
Definition: chsvwinutilex.h:1536
Chusov::Win32::Security::CreateSecurityDescriptor
AutoSecurityDescriptor CreateSecurityDescriptor(PSID pOwner, PSID pGroup, PACL pDacl)
Allocates and initializes a self-relative security descriptor with the specified owner and group,...
Definition: chsvwinutilex.h:1680
Chusov::Win32::Security::GetSidByPrincipalName
AutoSID GetSidByPrincipalName(LPCWSTR pszPrincipalName)
Returns a smart AutoSID pointer to a security identifier of a principal, specified by its name.
Definition: chsvwinutilex.h:510
Chusov::Memory::AutoData
A template of a class specifying std::unique_ptr to manage pointers allocated using one of the alloca...
Definition: chsvmem.h:4089
Exceptions
std::bad_allocThe function was unable to allocate a required amount of memory to complete the request.
Chusov::Exceptions::ArithmeticOverflowExceptionA size, in bytes, of the DACL to be allocated must fit 32 bits (as specified by DWORD values), but it does not.
Chusov::Exceptions::ChsvCodeExceptionSystem-level error occurred.