See Also: CommonAcl Members
Certain combinations of inheritance and access mask flags are meaningless:
Any access control entry (ACE) with a zero-access mask is removed.
Inherit-only ACEs inside object ACLs are removed.
On DACLs, SystemAudit and SystemAlarm ACEs are removed.
On system access control lists (SACLs), AccessAllowed and AccessDenied ACEs are removed.
Canonical order is maintained according to the following algorithm:
Explicit ACEs take precedence over inherited ACEs; this rule applies to both DACLs and SACLs.
In DACLs, among the explicit ACEs, ACEs that deny access take precedence over ACEs that allow access. For directory object ACLs, the nonobject ACEs come before object ACEs.
All common ACEs take precedence over noncommon ACEs.
Inherited ACEs maintain their relative order after canonicity.
Unrecognized and custom ACEs are disallowed in both DACLs and SACLs.
Within contiguous ranges (explicit AccessDenied and AccessAllowed ACEs on DACLs, all explicit ACEs on SACLs), the ACEs are sorted by using the System.Security.Principal.SecurityIdentifier.CompareTo methods of the System.Security.Principal.SecurityIdentifier objects associated with the ACEs.
Adjacent ACEs are combined, if appropriate. This reduces the size of the ACL without affecting the access control semantics it grants.