All objects in the Windows NT environment can have an Access Control List (ACL). An ACL defines a set of users and groups, and the kind of access each has on the object. The most visible and important ACLs are those that protect all elements in the Windows NT native file system format (NTFS) and the Windows NT registry. To change the security descriptor of a file or directory object, call the SetNamedSecurityInfo or SetSecurityInfo function. Creating or Modifying an ACL Windows NT versions 4.0 and later support a set of functions for creating an access-control list (ACL) or for modifying the access-control entries (ACEs) in an existing ACL. The SetEntriesInAcl function creates a new ACL. SetEntriesInAcl can specify a completely new set of ACEs for the ACL, or it can merge one or more new ACEs with the ACEs of an existing ACL. The SetEntriesInAcl function uses an array of EXPLICIT_ACCESS structures to specify the information for the new ACEs. Each EXPLICIT_ACCESS structure contains information that describes a single ACE. This information includes the access rights, the type of ACE, the flags that control ACE inheritance, and a TRUSTEE structure that identifies the trustee. To add a new ACE to an existing ACL Use the GetSecurityInfo or GetNamedSecurityInfo function to get the existing DACL or SACL from an object's security descriptor. For each new ACE, call the BuildExplicitAccessWithName function to fill an EXPLICIT_ACCESS structure with the information that describes the ACE. Call SetEntriesInAcl, specifying the existing ACL and an array of EXPLICIT_ACCESS structures for the new ACEs. The SetEntriesInAcl function allocates and initializes the ACL and its ACEs. Call the SetSecurityInfo or SetNamedSecurityInfo function to attach the new ACL to the object's security descriptor. If the caller specifies an existing ACL, SetEntriesInAcl merges the new ACE information with the existing ACEs in the ACL. Consider the case, for example, in which the existing ACL grants access to a specified trustee and an EXPLICIT_ACCESS structure denies access to the same trustee. In this case, SetEntriesInAcl adds a new access-denied ACE for the trustee and deletes or modifies the existing access-allowed ACE for the trustee. For sample code that merges a new ACE into an existing ACL, see Modifying an Object's ACLs.
HOWTO: Use High-Level Access Control APIs from Visual Basic Q295004although it is about VB, but you can find out the API and constants used to implement the feature.
Creating or Modifying an ACL
Windows NT versions 4.0 and later support a set of functions for creating an access-control list (ACL) or for modifying the access-control entries (ACEs) in an existing ACL. The SetEntriesInAcl function creates a new ACL. SetEntriesInAcl can specify a completely new set of ACEs for the ACL, or it can merge one or more new ACEs with the ACEs of an existing ACL. The SetEntriesInAcl function uses an array of EXPLICIT_ACCESS structures to specify the information for the new ACEs. Each EXPLICIT_ACCESS structure contains information that describes a single ACE. This information includes the access rights, the type of ACE, the flags that control ACE inheritance, and a TRUSTEE structure that identifies the trustee. To add a new ACE to an existing ACL Use the GetSecurityInfo or GetNamedSecurityInfo function to get the existing DACL or SACL from an object's security descriptor.
For each new ACE, call the BuildExplicitAccessWithName function to fill an EXPLICIT_ACCESS structure with the information that describes the ACE.
Call SetEntriesInAcl, specifying the existing ACL and an array of EXPLICIT_ACCESS structures for the new ACEs. The SetEntriesInAcl function allocates and initializes the ACL and its ACEs.
Call the SetSecurityInfo or SetNamedSecurityInfo function to attach the new ACL to the object's security descriptor.
If the caller specifies an existing ACL, SetEntriesInAcl merges the new ACE information with the existing ACEs in the ACL. Consider the case, for example, in which the existing ACL grants access to a specified trustee and an EXPLICIT_ACCESS structure denies access to the same trustee. In this case, SetEntriesInAcl adds a new access-denied ACE for the trustee and deletes or modifies the existing access-allowed ACE for the trustee. For sample code that merges a new ACE into an existing ACL, see Modifying an Object's ACLs.