2.2.2.21.4 ComponentSecurityDescriptor

The ComponentSecurityDescriptor type represents a component-related security descriptor.

A packet of this type MUST be a SECURITY_DESCRIPTOR as specified in [MS-DTYP] section 2.4.6. Furthermore, the following restrictions apply to the fields:

• The OwnerSid field MUST be present, but its value has no meaning.

• The GroupSid field MUST be present, but its value has no meaning.

• The Sacl field, if present, MUST be a ComponentSACL (section 2.2.2.21.3.3).

• The Dacl field, if present, MUST be either an OldVersionComponentDACL (section 2.2.2.21.3.1) or a NewVersionComponentDACL (section 2.2.2.21.3.2).

An ORB might interpret the DACLs in all component-related security descriptors as if they were OldVersionComponentDACLs, or it might interpret both OldVersionComponentDACLs and NewVersionComponentDACLs. The NewVersionComponentDACL type has the property that, if interpreted as an OldVersionComponentDACL, each access allowed and access denied ACEs will grant or deny all rights to the trustee rather than the more granular access rights. Whether or not an ORB interprets NewVersionComponentDACLs is ORB-specific.<25>

An ORB might or might not interpret the SACL, if present, in a component-related security descriptor. An ORB that does not interpret ComponentSACLs does not make authorization decisions on the basis of mandatory integrity level. Whether or not an ORB interprets ComponentSACLs is ORB-specific.<26>