Databases
StackOverflow2013
Postsdbo
POREVOKE_ACCESS : how to remove 'revoke' an inherited ACE?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POREVOKE_ACCESS : how to remove 'revoke' an inherited ACE?
    primarykey
    data
    text
    <p>I have the code below working for various ACE changes and adds and revoking - it just does NOT work when I try and remove an ACE that is in the ACL (clearly there), but this ACE is inherited. </p> <p>The <code>SetEntriesInAcl()</code> for revoke of non-inherited ACEs works, reduces the ACL ACE count and the following <code>SetNamedSecurityInfo()</code> does the revoke and the ACE is gone. </p> <p>When the ACE is inherited though - both these API return <code>SUCCESS</code> - but the ACE is not removed/revoked, the ACL ACE count remains the same. </p> <p>I have also coded doing <code>DeleteAce()</code> but when that DACL is used in <code>SetNamedSecurityInfo()</code> again the RC is <code>SUCCESS</code> (no return codes) and the ACE remains for the folder I am dealing with - clearly there is a trick on how to remove an inherited ACE. </p> <p>Btw, for the same folder in question SUBINACL command line tool does the revoke of this inherited ACE without problem.</p> <pre><code> if( EqualSid( pSid_for_ace, pSid ) ) { /* ACE SID matched edit SID */ if( cmd_se_edit == SE_REM ) { /* remove */ rem_lst[ ace_idx ] = x; exp_ace[ ace_idx ].grfAccessPermissions = dwAccessRights; exp_ace[ ace_idx ].grfAccessMode = REVOKE_ACCESS; exp_ace[ ace_idx ].grfInheritance = dwInheritance; exp_ace[ ace_idx ].Trustee.TrusteeForm = TRUSTEE_IS_SID; exp_ace[ ace_idx ].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; exp_ace[ ace_idx ].Trustee.ptstrName = pSid; if( ace_idx &lt; (REMMAX-1) ) ++ace_idx; } /* remove */ } /* ACE SID matched edit SID */ pBA = (BYTE *)p_aceHdr; ace_sz = p_aceHdr-&gt;AceSize; p_aceHdr = (PACE_HEADER)&amp;pBA[ ace_sz ]; } /* loop through ACEs */ // Create a new ACL that merges the new ACE // into the existing DACL. if( ace_idx ) { /* ACEs to remove */ dwRes = SetEntriesInAcl( ace_idx, &amp;exp_ace[0], pDacl, &amp;pNewDacl ); if( ERROR_SUCCESS != dwRes ) { printf( "SetEntriesInAcl Error %u\n", dwRes ); goto Cleanup2; } // Attach the new ACL as the object's DACL. dwRes = SetNamedSecurityInfo( ObjName, ObjectType, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL ); if( ERROR_SUCCESS != dwRes ) { rc3 = GetLastError(); printf( "SetNamedSecurityInfo Error %u\n", dwRes ); goto Cleanup2; } } /* ACEs to remove */ </code></pre>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USkapa
    1. USkevinwaite
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POREVOKE_ACCESS : how to remove 'revoke' an inherited ACE?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POREVOKE_ACCESS : how to remove 'revoke' an inherited ACE?
      1. USLuke
      1. VTFavorite
    3. VO
      singulars
      1. POREVOKE_ACCESS : how to remove 'revoke' an inherited ACE?
      1. USHarry Johnston
      1. VTFavorite
    1. COThe access permissions mask and inheritance settings are identical to the ACE being revoked - per MS guidance (the only guidance I have found.) - Setting this ACE with the above code results in a new ACE that matches what I set -- but the original inherited ACE remains -- the ACL grew by 1 for this test - then the revoke of this test ACE worked correctly -- once again the original inherited ACE remains.
      singulars
      1. POREVOKE_ACCESS : how to remove 'revoke' an inherited ACE?
      1. USkevinwaite
    2. CORemoving an inherited ACE breaks the rules for ACLs. The high-level APIs won't let you do this; the low-level APIs will, but you shouldn't. Instead, turn off inheritance on the target object and copy those ACEs that you want to keep, or consider using a Deny entry instead.
      singulars
      1. POREVOKE_ACCESS : how to remove 'revoke' an inherited ACE?
      1. USHarry Johnston
    3. COThanks Harry - programmatically (via the APIs) **how** does one turn off inheritance on my targeted object? -- I have not been able to do this (grrr)..... Once inheritance is turned off - I know how to copy an ACE - in your comment you say to copy the ACEs I wish to keep - copy them to where? and once there how do you put them back to the "folder's" Security Descriptor -- I know some APIs to do that -- I am curious as to your thoughts/insight.... thanks again, regards Kevin Waite
      singulars
      1. POREVOKE_ACCESS : how to remove 'revoke' an inherited ACE?
      1. USkevinwaite
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload