The interface "IAce" implements everything you need when dealing with ACEs. ACEs ("Access-Control Entries") are the items of ACLs ("Access-Control Lists"). An ACE can grant or deny specific access rights for a specific user/group account. In win9x "madSecurity" simulates ACEs and internally maps their meaning to win9x' APIs. A list of properties and methods can be found in the IAce Reference.

type IAce = interface (IBasic) ['{449EEF60-3AB3-11D3-A52D-00005A180D69}'];

You can create a new ACE by giving in (at least) an IAccount object and an access mask. In winNT/2000 you can also specify an ACE type and some ACE flags.

  TAceType  = (atAllowed, atDenied, atSystemAudit, atSystemAlarm,
               atAllowedObject, atDeniedObject, atSystemAuditObject, atSystemAlarmObject);
  TAceFlag  = (afObjectInherit, afContainerInherit, afNoPropagateInherit, afInheritOnly, afInherited,
               af20, afSuccessfulAccess, afFailedAccess);
  TAceFlags = set of TAceFlag;

function NewAce (const account : IAccount;
                 access        : cardinal;
                 type_         : TAceType  = atAllowed;
                 flags         : TAceFlags = []       ) : IAce;

The property "Account" tells you which IAccount this ACE effects.

property IAce.Account : IAccount;

The property "Access" lets you get and set the access mask of this ACE. In win9x only the lower two bytes are used.

property IAce.Access : cardinal;

The following properties give you full access over the type of the ACE (in win9x its always "atAllowed") and the flags of this ACE (in win9x flags are not supported). However, you can't change the ACE from non object to object or vice versa.

property IAce.Type_ : TAceType;
property IAce.Flags : TAceFlags;

The following properties apply to the Windows standard ACE structure, which is represented by the current "IAce" object. "PAce" gives you the address of the get Windows ACE structure, "Size" gives you the size of the structure. In win9x you'll get nil/0.

property IAce.PAce : pointer;
property IAce.Size : word;

The property "OwnerAcl" tell you to which ACL this ACE belongs, if any.

property IAce.OwnerAcl : IAcl;

The following interface is only supported in winNT. It's an extension to the "IAce" interface, adding some additional properties for object ACEs. See also the IObjAce Reference.

type IObjAce = interface (IAce) ['{CBF310E0-46AC-11D3-A52D-00005A180D69}'];

property IObjAce.ObjFlags         : cardinal;
property IObjAce.ObjType          : TGuid;
property IObjAce.InheritedObjType : TGuid;