Roth Consulting's Official Win32::Perms Home Page

One of the most frustrating aspects of administrating Win32 machines is the way that permissions are managed. The only way to modify permissions is by using the GUI tools that come with the operating system, such as the Explorer.exe program. There are other tools such as Cacl.exe but they are not necessarily easy to find nor are they easy to use. Additionally such tools typically only work on permissions for one particular type of object (such as files and directories or printer shares).

This is what the Win32::Perms extension was designed to combat. It allows a script to query and modify the permissions on files, directories, registry keys, network shares and printer shares.
In addition to permissions the extension also allows the management of how an object is audited as well as editing the objects owner and group.

The latest version

How do you get Win32::Perms?

There are two ways to obtain Win32::Perms. You can either download and install it manually from our FTP site:

ftp://ftp.roth.net/pub/ntperl/perms/

Or, if you have ActivePerl (aka Perl from ActiveState version 5.005 or higher), you can auto download and install the extension. You need to run the Perl Package Manager script which comes in the perl\bin directory:

perl ppm.pl install http://www.roth.net/perl/packages/win32-perms.ppd

Need More Documentation?

What are Permissions?

Permissions are placed on Win32 objects such as files, directories and registry keys. They are the "rules" which dictate who can access these objects and how they are to be accessed. For example one user may need to read and write files while another user may need to delete files. This page will provide a brief overview of just what Win32 permissions are and how they work.
For the sake of clarity let's assume that you want to place permissions so user cartman can only read a file but the administrator has full access (the ability to read, write, delete, change the ownership and modify permissions). To understand how we go about doing this you need to first understand a few things about Win32 security...

Security Identifiers (SID)

The first thing you need to understand is that usernames and group names are just strings of text that mean nothing to Win32. The OS does not care what an "Administrator" string is. It does care, however, about a funky long thing that looks like:

S-1-5-21-143982112-578333669-1869494990-500

You see, an odd looking number like this is what Win32 sees when it thinks of the Administrator account. When the Administrator logs in Win32 looks up this fancy sting and applies it whenever it needs to identify the user. For humans it is simply easier to refer to 'Administrator'. The string is really a text representation of a binary memory structure which is called a Security Identifier (SID). Every username, groupname, domain name and machine name have a SID tucked away somewhere in the Registry.

So if you want to grant the user cartman some permissions you must first request Win32 to lookup the SID for the cartman and administrator accounts.

Access Control Entries (ACE)

Once you have a SID you need to create a thing called an Access Control Entry (ACE). An ACE is a combination of SID, permissions and some flags.
The permissions and flags are discussed later. You simply need to make an ACE for cartman and an ACE for administrator. Sounds simple so far...

Access Control Lists (ACL)

Now that you have this collection of ACEs you need to glue them altogether. You do this by creating an Access Control List (ACL). An ACL is simply a list of ACEs. Once you have created an ACL you can apply it to the object (file, dir, registry key, etc).

Back to the top

Discretionary Access Control List (DACL)

But wait, not so fast. Having created your nice, shiny ACL makes you happy and all, but we are not out of this yet. There are two types of ACLs. The type of ACL that most users are familiar with is the one which allows you to determine who has access to what. This is what you created the cartman and administrator ACEs for in the first place. This ACL is known as a Discretionary Access Control List (DACL). Makes sense since it is up to your discretion who has access, eh?

Back to the top

System Access Control List (SACL)

The other type of ACL is one that most administrators are familiar with. This is the one which determines if and how the object is audited. This way you can set it such that when the object is successfully opened an entry is placed in the event log. There are successful audits and there are failure audits. This type of audit ACL is known as a System Access Control List (SACL).

By the way, if you have an empty DACL (that is a DACL that contains no ACEs) then that means that nobody will be granted access to the object (except for the owner, but that comes later). An empty SACL simply means that no auditing takes place on the object.

Back to the top

NULL DACL

Okay, one last wrinkle to toss in. It is possible to create a NULL DACL. A NULL DACL is NOT the same as an empty DACL. An empty DACL means that you have a chunk of memory allocated that represents a DACL but no ACEs are inside of it. A NULL DACL means that no memory has been allocated for the DACL. (The NULL comes from the fact that since there is no memory allocated for the DACL you supply a NULL pointer whenever a function requires a DACL).
A NULL DACL will be interpreted by Win32 as neither granting access to anyone nor denying access to anyone. This confusion is resolved by Win32 implicitly granting FULL access to EVERYONE! (this is why when you create a new net share in Explorer and do not specify any permissions you see, by default, that full access is granted to everyone -- the share has a NULL DACL)

Back to the top

NULL SACL

A NULL SACL, by the way, will do the same as an empty SACL (no auditing is performed).

Owners & Primary Groups

If this makes sense thus far then you are going to find the rest of this as pretty easy.

Two more very simple concepts and then on to the meaning of life: owner and group. Most Win32 objects can have an owner and group. An owner is just a SID of who "owns" the object.

Back to the top

Owner

The owner is never denied access to the object, ever. Even if the DACL explicitly denies access to the user, the fact that he is the owner allows him to get to it. An owner can either be a user SID or a group SID. Yes, the Administrators group can be the owner of a file (which means that anyone who is a member of the Administrators group would share in the ownership).

Back to the top

Group

The last simple thing is just like the owner except that it is a group (aka primary group). This does not really mean much to Win32 but it exists for compatibility with POSIX. An objects primary group can be any Global Group. And that is about it. It does not grant anything neat-o or cool. It simply is. Oh yeah, the owner and group are both SIDs. They are not ACEs since there are no permissions and/or flags that are associated with the them. Just simply SIDs.

Security Descriptors (SD)

If you take your DACL and SACL and toss in an owner SID and a primary group SID then you have what is known as a Security Descriptor (SD). Ahh, this is it! This is what a Win32::Perms object really is; a security descriptor!

Most Win32 API functions that allow you to create or manipulate objects allow you to supply a security descriptor. Which means all of this madness applies to any securable Win32 object.

If you create a Win32::Perms object passing in a path or Win32::Registry object then an empty SD is created which will immediately import the DACL, SACL, owner and group.

Back to the top

Empty Security Descriptors

When you create a Win32::Perms object you are creating an empty Security Descriptor. This means that it has no owner SID, no primary group SID and it has both a NULL DACL and a NULL SACL.

Accounts

The Win32::Perms makes use of user, machine and domain accounts. This can be any valid account. For example:

Joel
Administrator
Guest
SERVER_A$

Managers
Administrators
Guests
Friends

To specify a particular account or group from a particular domain you can prepend the account with a domain name followed by a single backslash:

ACCOUNTING\Joel
TECH_GROUP\Administrator
TECH_GROUP\Domain Admins
NEW_YORK\Guests

It is often necessary to specify a user account from a particular machine. The machine can be a Primary Domain Controller, Backup Domain Controller, NT Server, or NT Workstation. Since local groups are machine specific (not domain wide as global groups are) it is necessary to specify which machine a local group belongs to.

To specify a particular machine instead of a domain you specify the proper name of the machine (with double backslashes prepending the name) followed by a backslash and the account or group name:

\\Server_A\Administrators
\\JOHNS_PC\IUSR_MACHINE
\\PRIMARY_DC\Guest

A Note About Flags

One of the most important elements of Win32 permissions are the flags. Every ACE can specify one of several flags. These flags indicate how the permissions are applied to the object. This is the topic where people become most confused but they are of the utmost importance.

Let's say that you have a directory. On that directory you place permissions that grant administrators full control and users read and write control. This means that the user who tries to access that directory will be subject to the permissions. But what happens if you create a subdirectory within this directory? What permissions does it have?

Typically when you place permission on a directory using the Explorer.exe program any new subdirectory will inherit the permissions from it's parent (the directory it is created within). This happens only because Explorer.exe, by default, sets a flag indicating that new subdirectories are to inherit the permissions.

Back to the top

Containers

This leads us to define what a directory is. Any object which can hold another object (such as a directory, a Registry key, a network share, etc) is called a container. They are capable of containing objects. Typically a container can contain other containers. This is evident in the way you can have directories within other directories and Registry keys within other Registry key. A container that is inside of another container is said to be a child container. Likewise the child container is held within it's paren container.

Back to the top

Non-Containers

Non-containers are just that; objects that are not containers. Examples of non-containers are files and Registry values. They are always held within a container of some sort.

Now, flags are used to reflect how containers will handle permissions. There are basically four flags to be aware of:

ACE Flags and their descriptions

Flag	Description
OBJECT_INHERIT_ACE	All non-container children objects (such as files) will inherit and use this ACE. Container children objects (such as directories and Registry keys) will inherit this ACE as an INHERIT_ONLY ACE--it will not be effective on the child container. However the child container will allow its children objects to inherit the ACE. If the NO_PROPAGATE_INHERIT_ACE flag is also set then no other object can inherit this ACE from the child container.
CONTAINER_INHERIT_ACE	All child container objects (such as directories and Registry keys) will inherit and use this ACE. If the NO_PROPAGATE_INHERIT_ACE flag is also set then no other object can inherit this ACE from the child container.
INHERIT_ONLY_ACE	An ACE with this flag set is inactive on the object which contains this ACE. A child object which inherits this ACE, however, will be affected by the ACE.
NO_PROPAGATE_INHERIT_ACE	An ACE with this flag set will be inherited by child objects but will not be inheritable by grandchildren objects. For example if directory A contains an ACE with this flag then any subdirectory, B, that is created will inherit this ACE. However, the OS will automatically remove any OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags for the inherited ACE. This prevents any child object placed inside of directory B from inheriting this ACE. Basically this flag allows only one generation of child objects to inherit the ACE.

For every directory you typically have to add two sets of permissions for each user. In other words, to grant Administrator full access on a directory you would create two ACES; one for permissions on the directory and one for permission on the files within the directory:

Flag	Description
OBJECT_INHERIT_ACE \| INHERIT_ONLY_ACE	The directory will not use the permissions but will allow non-container children objects (ie. files) to inherit the permissions--which they will use. Container objects (subdirectories) that are created in the directory will inherit this permission mask but will not use them. Instead the permissions will be inherited by files placed into this subdirectory.
CONTAINER_INHERIT_ACE	The directory will use the permissions and child containers will inherit and use them as well.
no flags	The directory will use the permissions but no child objects will inherit them.

Back to the top

Typical Flags

Typically when you set permissions on a directory using the Explorer.exe program it will create two ACEs. One will be for the directory which will have the flag:

CONTAINER_INHERIT_ACE

The other ACE will be for files in the directory and this ACE will have the flags:

OBJECT_INHERIT_ACE | INHERIT_ONLY

Figure 1: Non standard flags dialog

You can use any combination of flags that your needs mandate. Be advised, however, that if you use anything but the typical flag combinations described above the Explorer.exe and File Manager programs will complain with a dialog (as in figure 1). This is because even though the flag combinations may be legitimate and valid these programs do not know how to describe them.

Examples:

In this example we will be placing read only permissions for cartman and full permissions for administrator on the file c:\test.txt and removing all references for guest from and then explicitly denying joel access to the c:\temp directory.

use Win32::Perms;

# Create an empty Security Descriptor
$::ThisPage = new Win32::Perms || die;

# One of two ways to add an ACE
$::ThisPage->Allow('cartman', READ);

# The second way to add an ACE
$::ThisPage->Add( {Account=>'administrator', Mask=>FULL } );

# Set the file's permissions
$::ThisPage->Set('c:/test.txt');

use Win32::Perms;

# Create a new Security Descriptor and auto import permissions
# from the directory
$Dir = new Win32::Perms( 'c:/temp' ) || die;

# One of three ways to remove an ACE
$Dir->Remove('guest');

# Deny access for all attributes (deny read, deny write, etc)
$Dir->Deny( 'joel', FULL );

# Set the directory permissions (no need to specify the
# path since the object was created with it)
$Dir->Set();

# If you are curious about the contents of the SD
# dump the contents to STDOUT $Dir->Dump;

Methods

Add( $Account [, $Mask [, $Type [, $Flag ] ] ] )
Add( \%Hash [, \%Hash2 [, ...] ] )

This method will create an ACE with the specified account, permission mask, ACE type and ACE flags and add the ACE to either the SACL or DACL depending on what Type is specified. Alternatively references to hashes can be passed in. Each hash must consist of the following keys:

Account	Name of the account or group
Domain	Domain which contains the account or group (optional)
Mask	Permission mask
Type	Type of ACE to create (optional)
Flag	ACE flags (optional)

The hashes contained in the resulting array from a call to Dump() will contain the appropriate keys. This allows for:

$Perm->Dump( \@Array );
$Perm2->Add( @Array );

Mask can be any combination of constants from Table 1 OR'ed together.
Type can be any one single constant from Table 2.
Flag can be any combination of constants from Table 3 OR'ed together.

Returns the number of entries successfully added.

AddAudit( $Account [, $Mask [, $Flag ] ] )

This method will create a new audit ACE with the specified account, mask and flag. The ACE will cause the system to log (audit) the specified $Account when it accesses the object using one of the events specified by $Mask.

Mask can be any combination of constants from Table 1 OR'ed together.
Flag can be any combination of constants from Table 3 OR'ed together.

Returns TRUE (1) if successful and FALSE (0) if it fails.

Allow( $Account [, $Mask [, $Flag ] ] )

This method will create a new access allowed ACE with the specified account, mask and flag. The ACE will allow the specified $Account to access the object with the specified $Mask.

Mask can be any combination of constants from Table 1 OR'ed together.
Flag can be any combination of constants from Table 3 OR'ed together.

Returns TRUE (1) if successful and FALSE (0) if it fails.

Close()

This method is called to destroy a Win32::Perms object. Close() is automatically called when the object is destroyed due to an undef(), delete() or it falls out of scope.

Returns no value.

DecodeMask( ( $Mask | \%Hash ) [, \@List [, \@FriendlyList ] ] )

This function will decipher a permission mask into human readable names. The first parameter can either be a permission mask value or it can be a hash reference obtained by a call to Dump(\@List). If an optional array reference is passed in as a second parameter then the array is cleared and populated with the permission names.

If an optional third array reference is passed in then an attempt to map the permissions masks into "friendly" permission names.

Example:

$Perm->Dump( \@List );
Win32::Perms::DecodeMask( $List[3], \@Mask, \@FriendlyMask );

Returns the number of permissions names that $Mask represents.

DecodeType( ( $Type| \%Hash ) [, \@List ] )

This function will decipher a type value into human readable names. The first parameter can either be a type value or it can be a hash reference obtained by a call to Dump(\@List).

If an optional array reference is passed in as a second parameter then the array is cleared and populated with the permission names.

Example:

$Perm->Dump( \@List ); Win32::Perms::DecodeType( $List[3], \@Types );

Returns the number of permissions names that $Type represents.

DecodeFlag( ( $Flag | \%Hash ) [, \@List ] )

This function will decipher a flag value into human readable names. The first parameter can either be a flag value or it can be a hash reference obtained by a call to Dump(\@List).

If an optional array reference is passed in as a second parameter then the array is cleared and populated with the flag names.

Example:

$Perm->Dump( \@List );
Win32::Perms::DecodeFlag( $List[3], \@Flags );

Returns the number of permissions names that $Flag represents.

Deny( $Account [, $Mask [, $Flag ] ] )

This method will create a new access denied ACE with the specified account, mask and flag. The ACE will prevent the specified $Account from accessing the object with the specified $Mask.

Mask can be any combination of constants from Table 1 OR'ed together.
Flag can be any combination of constants from Table 3 OR'ed together.

Returns TRUE (1) if successful and FALSE (0) if it fails.

Dump( [ \@List ] )

Prints all ACEs and their values to STDOUT. This is used primarily for debugging.

If an optional array reference is passed in then nothing is printed to STDOUT instead the array is populated with hashes that describe each ACE.

Access	The type of access this ACE refers to ('Allow' or 'Deny')
Account	Name of the user account the ACE is associated with
Domain	Domain name of the user account the ACE is associated with
Entry	The type ACL this ACE comes from (DACL or SACL)
Flag	The ACE flags
Mask	The ACE permission mask
ObjectName	Win32::Perms object type (eg. Registry, File, Directory, etc)
ObjectType	Win32::Perms numeric value of ObjectName
SID	The text formatted SID. The SID represents the domain\user account. Use ResolveSid() or ResolveAccount() to translate the SID into a binary SID or domain\username text strings.
Type	The ACE access type flags.

Get( [ \@Array ] )

Returns the total number of ACE's in the Win32::Perms object. If a reference to an array is passed then the array is populated with hashes describing each ACE.

Returns a number representing the total number of ACE's in the object.

GetDacl()

Retrieves the memory address of the Win32::Perms object's Discretionary ACL (DACL). The return value is the memory address of the DACL (a pointer to the DACL).

It is not wise to use this function since it points to a memory structure that can change.

Returns a pointer to the Win32::Perms object's Discretionary ACL (DACL).

GetSD( [ SD_ABSOLUTE | SD_RELATIVE )

This method will retrieve a the object's Security Descriptor (SD).
There are two types of SDs:

SD_ABSOLUTE	This is an SD that contains pointers which points to the DACL, SACL, Owner SID and Group SID. If this type of SD is requested then a value is returned which is the memory address of the SD.
SD_RELATIVE	This is a contiguous binary representation of the SD's DACL, SACL, Owner SID and Group SID. If this type of SD is requested then the entire SD is returned as a byte array. The returned scalar can be quite long (several hundred to several thousand bytes long).

If no type is passed in then it defaults to SD_ABSOLUTE.

Returns either the memory location of the SD (SD_ABSOLUTE), a binary data structure (SD_RELATIVE) or undef (upon failure).

GetVersion()

Returns the extension version number in a string format. The version number is in universal date format (eg. "19990119").

Returns the extension's version string.

Group( [ $Account ] )

Retrieves the group of the object.
If an optional account is passed in then the group will be set to that account.

NOTE:
Not all objects have groups (eg. Network shares).

Returns the current group of the object.

Import( $Path )

This method imports the ACEs from $Path and adds them to the current ACE list.

Refer to Appendix A for information on how to format the $Path variable.

Returns TRUE if successful and FALSE if failure.

new( [ $Path | $Object [, $Type ] ] )

This function will create a new Win32::Perms object.
The first parameter is either a path or a valid recognized Perl object.
Refer to Appendix A for details on formats a path can be.

An $Object can be used instead of a $Path. Currently the only valid object is a Win32::Registry object.

If a second parameter is specified it forces the path to be interpreted as the specified type:

PERM_TYPE_NULL	Creates a NULL descriptor. This is the same as a security descriptor with a NULL DACL, a NULL SACL, no Owner and no Group. If an object of this type is used to set permissions then the permission will be set to the Default state which is FULL access to Everyone.
PERM_TYPE_FILE	The path is to a directory or file
PERM_TYPE_REGISTRY	The path is to a Registry key
PERM_TYPE_SHARE	The path is to a network share
PERM_TYPE_PRINTER	The path is to a network printer

If nothing is passed into the function then a new, empty Win32::Perms object will be created. It can be applied to any object later.

Returns a valid Win32::Perms object otherwise returns undef.

Owner( [ $Account ] )

Retrieves the owner of the object.
If an optional account is passed in then the owner will be set to that account.

Returns the current (or new ) owner of the object.

Set( [ $Path [, $Recurse ] ] )

Sets the permissions onto the object specified by $Path. Refer to Import() for details of the $Path.
If the optional first parameter is not specified or is an empty string then the default path for the object is used. (If you created this object by specifying a path this is the default path).

SetRecurse( [ $Path ] )

Same as Set() except that it will recurse into all subcontainers (dirs, keys, etc). Setting permissions on all matching objects found in subcontainers.

If the path is to a file then wildcards can be used such as:

c:\temp\*.tmp

This will set permissions on all files ending in .tmp in the c:\temp directory. If recursion is specified then all .tmp files in c:\temp and all subdirectories will be set.

Paths that specify a registry key can not contain wildcards but can use recursion.

Recursion does not apply to network shares.

This is functionally the same as calling Set() passing in TRUE as the $Recurse parameter.

SetDacl( [ $Path [, $Recurse ] ] )
SetSacl( [ $Path [, $Recurse ] ] )
SetOwner( [ $Path [, $Recurse ] ] )
SetGroup( [ $Path [, $Recurse ] ] )

These four methods are equivalent to the Set() method except that the Set() will set all information on the object (DACL, SACL, Owner and Group). The methods will only set the specified information:

SetDacl()	Sets only discretionary ACL (permissions)
SetSacl()	Sets only the system ACL (auditing)
SetOwner()	Sets only the owner of the object
SetGroup()	Sets only the group of the object

ResolveAccount( $Sid )

Returns the account name of the specified SID in the form of "domain\name".
The passed in SID can either be a text or binary representation of a SID.

If the passed in SID is not valid then nothing is returned.

ResolveSid( $Account [, $BinarySid ] )

Returns a text based SID which represents the specified account. An example of a text SID is:

S-1-5-21-143984352-578909669-1869494990-1009

If a scalar variable is passed in as a second parameter then it is set to the binary representation of the same SID.

If the specified account is not valid then nothing is returned and if the optional second parameter is specified then it is cleared.

Remove( -1 )
Remove( $Account | $Index [, $Index2 [, ... ] ] )
Removes ACEs from the DACL (Permissions List)

Either an account or index can be specified. The index number is the index number that is a result of calling Dump() or the Get() methods.

If -1 is passed as a parameter then all ACEs are removed.

Returns number of removed ACEs.

RemoveAudit( -1 )
RemoveAudit( $Account | $Index [, $Index2 [, ... ] ] )

Removes ACEs from the SACL (Audit List).
Either an account or index can be specified. The index number is the index number that is a result of calling Dump() or the Get() methods.

If -1 is passed as a parameter then all ACEs are removed.

Returns number of removed ACEs.

Appendix A. Path formats

Table 1. Valid ACE permissions.
Mask Contant	Description
FULL	Full access (RWDXOP)
ALL	Same as FULL
CHANGE	Change access (RWDX)
READ	Read access
WRITE	Write access
DELETE	Delete access
EXECUTE	Execute access
NO_ACCESS	No permissions specified

Table 2. Valid ACE type constants.
Type constant	Description
ALLOW	The permission mask is allowed
GRANT	Same as ALLOW
DENY	Permission mask is denied
AUDIT	The permission mask is for auditing
OWNER	The account specified is the OWNER (the permission mask is ignored)
GROUP	The account specified is the GROUP (the permission mask is ignored)

Table 3. Valid ACE flag constants.
Flag constant	Description
DIRECTORY	The permission is for a directory
DIR	Same as DIRECTORY
KEY	the permission is for a Registry key
CONTAINER	The permission is for a container object (dir, Registry key, etc)
FILE	The permission is for a file
NON_CONTAINER	The permission is for a non container object (file, etc)
SUCCESS	If the type is AUDIT then this will log a successful audit
FAILURE	If the type is AUDIT then this will log a failed audit

When specifying a path for the following methods:

new()
Import()
Set()

You can use one of two formats:

path
object_type:path

The first format (path) is simply the path of the object such as:

c:\temp\file.txt
d:\Program Files\Office
\\server\share
\\server\share\dir\file.txt
\\server\printer
HKEY_LOCAL_MACHINE\Software
\\machine\HKEY_LOCAL_MACHINE\Software

The second format (object_type:path) is the path prepended by a object type and colon:

file:c:\temp\file.txt
dir:d:\Program Files\Office
share:\\server\share
file:\\server\share\dir\file.txt
printer:\\server\printer
registry:HKEY_LOCAL_MACHINE\Software
registry:\\machine\HKEY_LOCAL_MACHINE\Software

There may be times when it will be necessary to specify the object_type:path format to resolve an ambiguous path. For example, if you make a call to:

$Dir = new Win32::Perms( "\\\\server\\share" );

The extension does not know if the script intends the path \\server\share to represent the permissions for the root directory at the UNC \\server\share or the permissions for the network share \\server\share.

By design the network share has higher precedent over a directory. Therefore the above code will reflect a network share, not a directory. If a script needs to force the extension to recognize the path as a directory specify the object type as in:

$Dir = new Win32::Perms( "dir:\\\\server\\share" );

Note that file: and dir: are synonyms; either can be used.

	Add()
	AddAudit()
	Allow()
	Close()
	DecodeMask()
	DecodeType()
	DecodeFlag
	Deny()
	Dump()
	Get()
	GetDacl()
	GetSacl()
	GetSD()
	Group()
	Import()
	new()
	Set()
	SetRecurse()
	SetDacl()
	SetSacl()
	SetOwner
	SetGroup
	ResolveAccount()
	ResolveSid()
	Owner()
	Remove()
	RemoveAudit()

The Official Win32::Perms Home Page

The latest version

How do you get Win32::Perms?

Need More Documentation?

What are Permissions?

Security Identifiers (SID)

Access Control Entries (ACE)

Access Control Lists (ACL)

Discretionary Access Control List (DACL)

System Access Control List (SACL)

NULL DACL

NULL SACL

Owners & Primary Groups

Owner

Group

Security Descriptors (SD)

Empty Security Descriptors

Accounts

A Note About Flags

Containers

Non-Containers

ACE Flags and their descriptions

Typical Flags

Examples:

Methods

Add( $Account [, $Mask [, $Type [, $Flag ] ] ] ) Add( \%Hash [, \%Hash2 [, ...] ] )

AddAudit( $Account [, $Mask [, $Flag ] ] )

Allow( $Account [, $Mask [, $Flag ] ] )

Close()

DecodeMask( ( $Mask | \%Hash ) [, \@List [, \@FriendlyList ] ] )

DecodeType( ( $Type| \%Hash ) [, \@List ] )

DecodeFlag( ( $Flag | \%Hash ) [, \@List ] )

Deny( $Account [, $Mask [, $Flag ] ] )

Dump( [ \@List ] )

Get( [ \@Array ] )

GetDacl()

GetSD( [ SD_ABSOLUTE | SD_RELATIVE )

GetVersion()

Group( [ $Account ] )

Import( $Path )

new( [ $Path | $Object [, $Type ] ] )

Owner( [ $Account ] )

Set( [ $Path [, $Recurse ] ] )

SetRecurse( [ $Path ] )

SetDacl( [ $Path [, $Recurse ] ] ) SetSacl( [ $Path [, $Recurse ] ] ) SetOwner( [ $Path [, $Recurse ] ] ) SetGroup( [ $Path [, $Recurse ] ] )

ResolveAccount( $Sid )

ResolveSid( $Account [, $BinarySid ] )

Remove( -1 ) Remove( $Account | $Index [, $Index2 [, ... ] ] ) Removes ACEs from the DACL (Permissions List)

RemoveAudit( -1 ) RemoveAudit( $Account | $Index [, $Index2 [, ... ] ] )

Appendix A. Path formats

Add( $Account [, $Mask [, $Type [, $Flag ] ] ] )
Add( \%Hash [, \%Hash2 [, ...] ] )

SetDacl( [ $Path [, $Recurse ] ] )
SetSacl( [ $Path [, $Recurse ] ] )
SetOwner( [ $Path [, $Recurse ] ] )
SetGroup( [ $Path [, $Recurse ] ] )

Remove( -1 )
Remove( $Account | $Index [, $Index2 [, ... ] ] )
Removes ACEs from the DACL (Permissions List)

RemoveAudit( -1 )
RemoveAudit( $Account | $Index [, $Index2 [, ... ] ] )