An access control entry (ACE) is an element in an access control list (ACL). An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee. For information about adding, removing, or changing the ACEs in an object's ACLs, see Modifying the ACLs of an Object in C++.
(ACE是ACL中的一个元素。一个ACL可以拥有多个ACE,也可以没有一个ACE。每个ACE控制或者监控一个受信成员对受保护对象的访问行为。)
There are six types of ACEs, three of which are supported by all securable objects. The other three types are Object-specific ACEs supported by directory service objects.
(有六种类型ACE,其中三种被所有受保护对象所支持。另外三种类型为特定类型ACE,目录服务对象支持这三种类型。)
All types of ACEs contain the following access control information:
- A security identifier (SID) that identifies the trustee to which the ACE applies.
- An access mask that specifies the access rights controlled by the ACE.
- A flag that indicates the type of ACE.
- A set of bit flags that determine whether child containers or objects can inherit the ACE from the primary object to which the ACL is attached
(所有类型的ACE由以下访问控制信息组成:
1.一个指明应用于哪个ACE的受信成员的安全标识符SID
2.由ACE控制的指定访问权限的访问掩码
3.指明ACE类型的标志位
4.决定子容器或者子对象是否能够从附属的ACL的首要对象继承ACE的一系列比特标志位)
三种支持所有保护对象的ACE类型为
1.Access-denied ACE:Used in a discretionary access control list (DACL) to deny access rights to a trustee.
拒绝访问ACE:在DACL中用于拒绝受信对象的访问
2.Access-allowed ACE:Used in a DACL to allow access rights to a trustee.
允许访问ACE:在DACL中用于允许受信对象的访问
3.System-audit ACE:Used in a system access control list (SACL) to generate an audit record when the trustee attempts to exercise the specified access rights.
系统审计ACE:在SACL中,当受信对象试图测试指定的访问权限时,生成一条审计记录
我把trustee翻译成受信对象,msdn的解释为“A trustee is the user account, group account, or logon session to which an access control entry (ACE) applies.”我的理解是trustee是ACE中的用户账户、组账户或者登陆会话