/// <para>If Id is set to this value, then pData points to a security descriptor and cbData is the number of bytes in pData.</para>
/// <para>pData2 is NULL and cbData2 is 0.</para>
/// </summary>
SECURITY_OBJECT_ID_OBJECT_SD=1,
/// <summary>
/// The security descriptor of a network share.
/// <para>
/// If Id is set to this value, then pData points to the ISecurityInformation interface of an object that represents the security context of the share.
/// </para>
/// <para>
/// If the security descriptor is not yet available, then pData2 must be a handle to a waitable object that is signaled when the security descriptor
/// is ready when the GetSecondarySecurity method returns S_FALSE. The waitable object should be created by the CreateEvent function. In this case,
/// cbData2 is 0.
/// </para>
/// <para>This identifier is only applicable to file system objects.</para>
/// </summary>
SECURITY_OBJECT_ID_SHARE=2,
/// <summary>
/// The security descriptor of a central access policy.
/// <para>
/// If Id is set to this value, then pData points to the security descriptor with an empty DACL, an owner, group, and attribute access control
/// entries (ACEs) that match the resource's owner, group, and attributes as well as a SCOPE_SECURITY_INFORMATION_ACE that contains the central
/// policy's ID. cbData is set to the number of bytes in pData.
/// </para>
/// <para>pData2 is NULL and cbData2 is 0.</para>
/// <para>
/// The security descriptor is constructed to allow computing effective permissions to correctly determine when access is limited by the central
/// policy and higher detail of the central access rule cannot be determined. This is used when a central access policy that applies to a resource
/// cannot be resolved into its elemental central access rules.
/// </para>
/// </summary>
SECURITY_OBJECT_ID_CENTRAL_POLICY=3,
/// <summary>
/// The security descriptor of a central access rule.
/// <para>
/// If Id is set to this value, then pData points to the security descriptor with an owner, group, and attribute ACEs that match the resource's
/// owner, group, and attributes, and a discretionary access control list (DACL) that matches the central access rule's DACL. cbData is set to the
/// number of bytes in pData.
/// </para>
/// <para>
/// In addition, pData2 points to a security descriptor with a DACL that contains a conditional ACE that grants 0x1 to Everyone if the resource
/// condition from the central access rule evaluates to TRUE. cbData2 is set to the number of bytes in pData2.
/// </para>
/// <para>
/// The security descriptor is constructed to allow computing effective permissions to determine when access is limited by the central access policy
/// at the highest detail. That is, access is limited by pointing to a central policy rule.
/// </para>
/// </summary>
SECURITY_OBJECT_ID_CENTRAL_ACCESS_RULE=4
}
/// <summary>A set of bit flags that determine the editing options available to the user.</summary>
[Flags]
publicenumSI_OBJECT_INFO_Flags:uint
{
/// <summary>
/// The Advanced button is displayed on the basic security property page. If the user clicks this button, the system displays an advanced security
/// property sheet that enables advanced editing of the discretionary access control list (DACL) of the object.
/// </summary>
SI_ADVANCED=0x00000010,
/// <summary>
/// If this flag is set, a shield is displayed on the Edit button of the advanced Auditing pages. For NTFS objects, this flag is requested when the
/// user does not have READ_CONTROL or ACCESS_SYSTEM_SECURITY access. Windows Server 2003 and Windows XP: This flag is not supported.
/// </summary>
SI_AUDITS_ELEVATION_REQUIRED=0x02000000,
/// <summary>
/// Indicates that the object is a container. If this flag is set, the access control editor enables the controls relevant to the inheritance of
/// permissions onto child objects.
/// </summary>
SI_CONTAINER=0x00000004,
/// <summary>Combines the EditPerms, EditOwner, and EditAudit flags.</summary>
/// If this flag is set and the user clicks the Advanced button, the system displays an advanced security property sheet that includes an Auditing
/// property page for editing the object's SACL.
/// </summary>
SI_EDIT_AUDITS=0x00000002,
/// <summary>If this flag is set, the Effective Permissions page is displayed.</summary>
SI_EDIT_EFFECTIVE=0x00020000,
/// <summary>
/// If this flag is set and the user clicks the Advanced button, the system displays an advanced security property sheet that includes an Owner
/// property page for changing the object's owner.
/// </summary>
SI_EDIT_OWNER=0x00000001,
/// <summary>
/// This is the default value. The basic security property page always displays the controls for basic editing of the object's DACL. To disable these
/// controls, set the ReadOnly flag.
/// </summary>
SI_EDIT_PERMS=0x00000000,
/// <summary>
/// If this flag is set, the system enables controls for editing ACEs that apply to the object's property sets and properties. These controls are
/// available only on the property sheet displayed when the user clicks the Advanced button.
/// </summary>
SI_EDIT_PROPERTIES=0x00000080,
/// <summary>
/// Indicates that the access control editor cannot read the DACL but might be able to write to the DACL. If a call to the
/// ISecurityInformation::GetSecurity method returns AccessDenied, the user can try to add a new ACE, and a more appropriate warning is displayed.
/// </summary>
SI_MAY_WRITE=0x10000000,
/// <summary>
/// If this flag is set, the access control editor hides the check box that allows inheritable ACEs to propagate from the parent object to this
/// object. If this flag is not set, the check box is visible. The check box is clear if the SE_DACL_PROTECTED flag is set in the object's security
/// descriptor. In this case, the object's DACL is protected from being modified by inheritable ACEs. If the user clears the check box, any inherited
/// ACEs in the security descriptor are deleted or converted to noninherited ACEs. Before proceeding with this conversion, the system displays a
/// warning message box to confirm the change.
/// </summary>
SI_NO_ACL_PROTECT=0x00000200,
/// <summary>If this flag is set, the access control editor hides the Special Permissions tab on the Advanced Security Settings page.</summary>
SI_NO_ADDITIONAL_PERMISSION=0x00200000,
/// <summary>
/// If this flag is set, the access control editor hides the check box that controls the NO_PROPAGATE_INHERIT_ACE flag. This flag is relevant only
/// when the Advanced flag is also set.
/// </summary>
SI_NO_TREE_APPLY=0x00000400,
/// <summary>
/// When set, indicates that the ObjectGuid property is valid. This is set in comparisons with object-specific ACEs in determining whether the ACE
/// applies to the current object.
/// </summary>
SI_OBJECT_GUID=0x00010000,
/// <summary>
/// If this flag is set, a shield is displayed on the Edit button of the advanced Owner page. For NTFS objects, this flag is requested when the user
/// does not have WRITE_OWNER access. This flag is valid only if the owner page is requested. Windows Server 2003 and Windows XP: This flag is not supported.
/// </summary>
SI_OWNER_ELEVATION_REQUIRED=0x04000000,
/// <summary>
/// If this flag is set, the user cannot change the owner of the object. Set this flag if EditOwner is set but the user does not have permission to
/// change the owner.
/// </summary>
SI_OWNER_READONLY=0x00000040,
/// <summary>
/// Combine this flag with Container to display a check box on the owner page that indicates whether the user intends the new owner to be applied to
/// all child objects as well as the current object. The access control editor does not perform the recursion.
/// </summary>
SI_OWNER_RECURSE=0x00000100,
/// <summary>
/// If this flag is set, the Title property value is used as the title of the basic security property page. Otherwise, a default title is used.
/// </summary>
SI_PAGE_TITLE=0x00000800,
/// <summary>
/// If this flag is set, an image of a shield is displayed on the Edit button of the simple and advanced Permissions pages. For NTFS objects, this
/// flag is requested when the user does not have READ_CONTROL or WRITE_DAC access. Windows Server 2003 and Windows XP: This flag is not supported.
/// </summary>
SI_PERMS_ELEVATION_REQUIRED=0x01000000,
/// <summary>
/// If this flag is set, the editor displays the object's security information, but the controls for editing the information are disabled. This flag
/// cannot be combined with the ViewOnly flag.
/// </summary>
SI_READONLY=0x00000008,
/// <summary>
/// If this flag is set, the Default button is displayed. If the user clicks this button, the access control editor calls the
/// IAccessControlEditorDialogProvider.DefaultSecurity to retrieve an application-defined default security descriptor. The access control editor uses
/// this security descriptor to reinitialize the property sheet, and the user is allowed to apply the change or cancel.
/// </summary>
SI_RESET=0x00000020,
/// <summary>When set, this flag displays the Reset Defaults button on the Permissions page.</summary>
SI_RESET_DACL=0x00040000,
/// <summary>
/// When set, this flag displays the Reset permissions on all child objects and enable propagation of inheritable permissions check box in the
/// Permissions page of the Access Control Settings window. This function does not reset the permissions and enable propagation of inheritable permissions.
/// </summary>
SI_RESET_DACL_TREE=0x00004000,
/// <summary>When set, this flag displays the Reset Defaults button on the Owner page.</summary>
SI_RESET_OWNER=0x00100000,
/// <summary>When set, this flag displays the Reset Defaults button on the Auditing page.</summary>
SI_RESET_SACL=0x00080000,
/// <summary>
/// When set, this flag displays the Reset auditing entries on all child objects and enables propagation of the inheritable auditing entries check
/// box in the Auditing page of the Access Control Settings window. This function does not reset the permissions and enable propagation of
/// inheritable permissions.
/// </summary>
SI_RESET_SACL_TREE=0x00008000,
/// <summary>
/// Set this flag if the computer defined by the ServerName property is known to be a domain controller. If this flag is set, the domain name is
/// included in the scope list of the Add Users and Groups dialog box. Otherwise, the pszServerName computer is used to determine the scope list of
/// The IEffectivePermission2 interface provides a way to determine effective permissions for a security principal on an object in a way where the
/// principal's security context may be compounded with a device context or adjusted in other ways. Additionally, it determines the effective permissions
/// even when multiple security checks apply. The access control editor uses this information to communicate the effective permissions to the client.
/// The ComputeEffectivePermissionWithSecondarySecurity method computes the effective permissions for an object. It supports integrating secondary or
/// custom security policies. You may choose to provide this additional security information by implementing the ISecurityInformation4 interface.
/// This method supports compound identity, which is when a principal's access token contains user and device authorization information.
/// </summary>
/// <param name="pSid">A pointer to a SID structure that represents the security principal whose effective permission is being determined.</param>
/// <param name="pDeviceSid">
/// A pointer to a SID structure that represents the device from which the principal is accessing the object. If this is not NULL and you are using
/// the AuthzAccessCheck function to compute the effective permissions, then the device SID may be compounded with the pSid parameter by using the
/// AuthzInitializeCompoundContext function.
/// </param>
/// <param name="pszServerName">
/// The name of the server on which the object resides. This is the same name that was returned from the ISecurityInformation::GetObjectInformation method.
/// </param>
/// <param name="pSecurityObjects">
/// An array of security objects. This array is composed of objects that were deduced by the access control editor in addition to the ones returned
/// from the ISecurityInformation4::GetSecondarySecurity method.
/// </param>
/// <param name="dwSecurityObjectCount">
/// The number of security objects in the pSecurityObjects parameter, and the number of results lists in the pEffpermResultLists parameter.
/// </param>
/// <param name="pUserGroups">
/// A pointer to additional user groups that should be used to modify the security context which was initialized from the pSid parameter. If you are
/// using the AuthzAccessCheck function to compute the effective permissions, then the modification may be done by calling the AuthzModifySids
/// function using AuthzContextInfoGroupsSids as the SidClass parameter.
/// </param>
/// <param name="pAuthzUserGroupsOperations">
/// Pointer to an array of AUTHZ_SID_OPERATION structures that specify how the user groups in the authz context must be modified for each user group
/// in the pUserGroups argument. This array contains as many elements as the number of groups in the pUserGroups parameter.
/// </param>
/// <param name="pDeviceGroups">
/// A pointer to additional device groups that should be used to modify the security context which was initialized from the pSid parameter or one
/// that was created by compounding the contexts that were initialized from the pSid and pDeviceSid parameters. If you are using the AuthzAccessCheck
/// function to compute the effective permissions, then the modification may be done by calling the AuthzModifySids function using
/// AuthzContextInfoDeviceSids as the SidClass parameter.
/// </param>
/// <param name="pAuthzDeviceGroupsOperations">
/// Pointer to an array of AUTHZ_SID_OPERATION enumeration types that specify how the device groups in the authz context must be modified for each
/// device group in the pDeviceGroups argument. This array contains as many elements as the number of groups in the pDeviceGroups parameter.
/// </param>
/// <param name="pAuthzUserClaims">
/// Pointer to an AUTHZ_SECURITY_ATTRIBUTES_INFORMATION structure that contains the user claims context that should be used to modify the security
/// context that was initialized from the pSid parameter. If you are using the AuthzAccessCheck function to compute the effective permissions, then
/// the modification may be done by calling the AuthzModifyClaims function using AuthzContextInfoUserClaims as the ClaimClass parameter.
/// </param>
/// <param name="pAuthzUserClaimsOperations">
/// Pointer to an AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumeration type that specifies the operations associated with the user claims context.
/// </param>
/// <param name="pAuthzDeviceClaims">
/// A pointer to the device claims context that should be used to modify the security context that was initialized from the pSid parameter or one
/// that was created by compounding the contexts that were initialized from the pSid and pDeviceSid parameters. This may be supplied by the caller,
/// even if the pDeviceSid parameter is not. If you are using the AuthzAccessCheck function to compute the effective permissions, then the
/// modification may be done by calling the AuthzModifyClaims function using AuthzContextInfoDeviceClaims as the ClaimClass parameter.
/// </param>
/// <param name="pAuthzDeviceClaimsOperations">
/// Pointer to an AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumeration type that specifies the operations associated with the device claims context.
/// </param>
/// <param name="pEffpermResultLists">
/// A pointer to an array of the effective permissions results of type EFFPERM_RESULT_LIST. This array is dwSecurityObjectCount elements long. The
/// array is initialized by the caller and the implementation is expected to set all fields of each member in the array, indicating what access was
/// granted by the corresponding security object.
/// <para>
/// If a security object was considered, the fEvaluated member should be set to TRUE. In this case, the pObjectTypeList and pGrantedAccessList
/// members should both be cObjectTypeListLength elements long. The pObjectTypeList member must point to memory that is owned by the resource manager
/// and must remain valid until the EditSecurity function exits. The pGrantedAccessList member is freed by the caller by using the LocalFree
/// function. If the resource manager does not support object ACEs, then the pObjectTypeList member should point to the NULL GUID, the
/// cObjectTypeListLength member should be 1, and the pGrantedAccessList member should be a single DWORD.
/// The ISecurityInformation interface enables the access control editor to communicate with the caller of the CreateSecurityPage and EditSecurity
/// functions. The editor calls the interface methods to retrieve information that is used to initialize its pages and to determine the editing options
/// available to the user. The editor also calls the interface methods to pass the user's input back to the application.
/// The ISecurityInformation2 interface enables the access control editor to obtain information from the client that is not provided by the
/// ISecurityInformation interface. The client does not need to implement ISecurityInformation2 unless the default behavior of the access control editor
/// The ISecurityInformation3 interface provides methods necessary for displaying an elevated access control editor when a user clicks the Edit button on
/// an access control editor page that displays an image of a shield on that Edit button. The image of a shield is displayed on the Edit button when the
/// access control editor is launched by a process with a token that lacks permission to save changes to the object being edited.
/// The OpenElevatedEditor method opens an access control editor when a user clicks the Edit button on an access control editor page that displays an
/// image of a shield on that Edit button. The image of a shield is displayed when the access control editor is launched by a process with a token
/// that lacks permission to save changes to the object being edited.
/// </summary>
/// <param name="hWnd">The parent window of the access control editor.</param>
/// <param name="uPage">A value of the SI_PAGE_TYPE enumeration that indicates the page type on which to display the elevated access control editor.</param>
/// The ISecurityObjectTypeInfo interface provides a means of determining the source of inherited access control entries (ACEs) in discretionary access
/// control lists (DACLs) and system access control lists (SACLs). The access control editor uses this information to communicate the inheritance source
/// <summary>The CreateSecurityPage function creates a basic security property page that enables the user to view and edit the access rights allowed or denied by the access control entries (ACEs) in an object's discretionary access control list (DACL). Use the PropertySheet function or the PSM_ADDPAGE message to add this page to a property sheet.</summary>
/// <param name="psi">A pointer to your implementation of the ISecurityInformation interface. The system calls the interface methods to retrieve information about the object being edited and to return the user's input.</param>
/// <returns>If the function succeeds, the function returns a handle to a basic security property page. If the function fails, it returns NULL. To get extended error information, call GetLastError.</returns>
/// The EditSecurityAdvanced function extends the EditSecurity function to include the security page type when displaying the property sheet that
/// contains a basic security property page. This property page enables the user to view and edit the access rights allowed or denied by the access
/// control entries (ACEs) in an object's discretionary access control list (DACL).
/// </summary>
/// <param name="hwnd">A handle to the window that owns the property sheet. This parameter can be NULL.</param>
/// <param name="psi">
/// A pointer to your implementation of the ISecurityInformation interface. The system calls the interface methods to retrieve information about the
/// object being edited and to return the user's input.
/// </param>
/// <param name="pageType">A value of the SI_PAGE_TYPE enumeration that indicates the page type on which to display the elevated access control editor.</param>
/// <returns>If the function succeeds, the return value is S_OK. If the function fails, any other HRESULT value indicates an error.</returns>
/// The EditSecurityAdvanced function extends the EditSecurity function to include the security page type when displaying the property sheet that
/// contains a basic security property page. This property page enables the user to view and edit the access rights allowed or denied by the access
/// control entries (ACEs) in an object's discretionary access control list (DACL).
/// </summary>
/// <param name="hwnd">A handle to the window that owns the property sheet. This parameter can be NULL.</param>
/// <param name="psi">
/// A pointer to your implementation of the ISecurityInformation interface. The system calls the interface methods to retrieve information about the
/// object being edited and to return the user's input.
/// </param>
/// <param name="pageType">A value of the SI_PAGE_TYPE enumeration that indicates the page type on which to display the elevated access control editor.</param>
/// <param name="pageActivated">A value of the SI_PAGE_ACTIVATED enumeration that indicates the page type that is activated when the editor opens.</param>
/// <returns>If the function succeeds, the return value is S_OK. If the function fails, any other HRESULT value indicates an error.</returns>
/// <summary>The number of elements in both the pObjectTypeList and pGrantedAccessList members.</summary>
publicuintcObjectTypeListLength;
/// <summary>A pointer to an array of OBJECT_TYPE_LIST structures that specifies the properties and property sets for which access was evaluated.</summary>
/// Class contains information about an access right or default access mask for a securable object. The <see cref="ISecurityInformation.GetAccessRights"/>
/// method uses this class to specify information that the access control editor uses to initialize its property pages.
/// Contains information about how access control entries (ACEs) can be inherited by child objects. The <see cref="ISecurityInformation.GetInheritTypes"/>
/// method uses this structure to specify display strings that the access control editor uses to initialize its property pages.
/// A pointer to a null-terminated, Unicode string that names the computer on which to look up account names and SIDs. This value can be NULL to
/// specify the local computer. The access control editor does not free this pointer.
/// </summary>
[MarshalAs(UnmanagedType.LPWStr)]
publicstringpszServerName;
/// <summary>
/// A pointer to a null-terminated, Unicode string that names the object being edited. This name appears in the title of the advanced security
/// property sheet and any error message boxes displayed by the access control editor. The access control editor does not free this pointer.
/// </summary>
[MarshalAs(UnmanagedType.LPWStr)]
publicstringpszObjectName;
/// <summary>
/// A pointer to a null-terminated, Unicode string used as the title of the basic security property page. This member is ignored unless the
/// SI_PAGE_TITLE flag is set in dwFlags. If the page title is not provided, a default title is used. The access control editor does not free this pointer.
/// </summary>
[MarshalAs(UnmanagedType.LPWStr)]
publicstringpszPageTitle;
/// <summary>A GUID for the object. This member is ignored unless the SI_OBJECT_GUID flag is set in dwFlags.</summary>
publicGuidguidObjectType;
/// <summary>Initializes a new instance of the <see cref="SI_OBJECT_INFO"/> struct.</summary>
/// <param name="flags">A set of bit flags that determine the editing options available to the user.</param>
/// <param name="objectName">Names the object being edited.</param>
/// <param name="serverName">Names the computer on which to look up account names and SIDs.</param>
/// <param name="pageTitle">The title of the basic security property page.</param>
/// <param name="guidObject">The unique identifier for the object.</param>
/// The SID_INFO structure contains the list of common names corresponding to the SID structures returned by ISecurityInformation2::LookupSids. It is a
