Using the Access Control Editor

The Access Control Editor is a COM control that helps you to add a standard interface to your application—allowing administrators to set application security as needed. These are the same property pages that Microsoft uses within Windows 2000 to set security. The Access Control Editor uses two sets of property pages. The user will normally see a simple property page dialog. However, the Administrator will normally use the advanced property page shown in Figure 14.1. You can access this page by right-clicking any object (a drive works best) in Windows Explorer and choosing Properties from the context menu. Select the Security tab. Click Advanced.

Figure 14.1: The Advanced features of the Access Control Editor provide the administrator with full access control.

Both property pages allow the administrator to work with the security settings for an application with relative ease. However, the advanced dialog provides complete controls for setting every security aspect for this particular object. The Permissions tab sets the DACL, the Auditing tab the SACL, and the Owner tab the owner information. The only missing element is the group information, which isn’t important at the user level in many cases. Notice that most of the entries in the Permission Entries List in Figure 14.1 have human-readable names. However, the third entry uses a SID, rather than a name. Sometimes the Access Control Editor displays a SID rather than a name.

Now that we’ve seen the Access Control Editor user interface, let’s consider development issues. You create Access Control Editor property sheets using the ISecurityInformation interface. There are two main methods used to call on this interface: CreateSecurityPage() and EditSecurity(). The CreateSecurityPage() method adds a Security tab to an existing property sheet. You can use the PropertySheet() function or the PSM_ADDPAGE message to add the resulting property page to the existing property sheet. The EditSecurity() method displays the Security property page on a property sheet that’s created specifically to display the Access Control Editor.

Some two-way communication takes place between your application and the Access Control Editor. The Access Control Editor doesn’t know anything about your application when you first start it, so you have to supply this information. This means implementing several methods of the ISecurityInformation interface within your application. Table 14.4 provides a very brief description of these functions.

The GetObjectInformation() method implementation is important. You create an SI_OBJECT_INFO data structure and pass it to Access Control Editor. The data structure includes security dialog configuration information. For example, you can choose which features the user will see. You can also disable the Advanced button, making it impossible to change auditing options or the object owner. In addition, this data structure defines property page elements like the title bar contents, the name of the object, and the name of a server that Access Control Editor uses to look up object security information.