AuthzAccessCheck function (authz.h)
The AuthzAccessCheck function determines which access bits can be granted to a client for a given set of security descriptors. The AUTHZ_ACCESS_REPLY structure returns an array of granted access masks and error status. Optionally, access masks that will always be granted can be cached, and a handle to cached values is returned.
Syntax
AUTHZAPI BOOL AuthzAccessCheck(
[in] DWORD Flags,
[in] AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
[in] PAUTHZ_ACCESS_REQUEST pRequest,
[in, optional] AUTHZ_AUDIT_EVENT_HANDLE hAuditEvent,
[in] PSECURITY_DESCRIPTOR pSecurityDescriptor,
[in, optional] PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray,
[in, optional] DWORD OptionalSecurityDescriptorCount,
[in, out] PAUTHZ_ACCESS_REPLY pReply,
[out, optional] PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults
);
Parameters
[in] Flags
A DWORD value that specifies how the security descriptor is copied. This parameter can be one of the following values.
Starting with Windows 8 and Windows Server 2012, when you call this function on a remote context handle, the upper 16 bits must be zero.
| Value | Meaning |
|---|---|
|
If phAccessCheckResults is not NULL, a deep copy of the security descriptor is copied to the handle referenced by phAccessCheckResults. |
|
A deep copy of the security descriptor is not performed. The calling application must pass the address of an AUTHZ_ACCESS_CHECK_RESULTS_HANDLE handle in phAccessCheckResults. The AuthzAccessCheck function sets this handle to a security descriptor that must remain valid during subsequent calls to AuthzCachedAccessCheck. |
[in] hAuthzClientContext
A handle to a structure that represents the client.
Starting with Windows 8 and Windows Server 2012, the client context can be local or remote.
[in] pRequest
A pointer to an AUTHZ_ACCESS_REQUEST structure that specifies the desired access mask, principal self security identifier (SID), and the object type list structure, if it exists.
[in, optional] hAuditEvent
A structure that contains object-specific audit information. When the value of this parameter is not null, an audit is automatically requested. Static audit information is read from the resource manager structure.
Starting with Windows 8 and Windows Server 2012, when you use this function with a remote context handle, the value of the parameter must be NULL.
[in] pSecurityDescriptor
A pointer to a SECURITY_DESCRIPTOR structure to be used for access checks. The owner SID for the object is picked from this security descriptor. A NULL discretionary access control list (DACL) in this security descriptor represents a NULL DACL for the entire object. Make sure the security descriptor contains OWNER and DACL information, or an error code 87 or "invalid parameter" message will be generated.
[in, optional] OptionalSecurityDescriptorArray
An array of SECURITY_DESCRIPTOR structures. NULL access control lists (ACLs) in these security descriptors are treated as empty ACLs. The ACL for the entire object is the logical concatenation of all of the ACLs.
[in, optional] OptionalSecurityDescriptorCount
The number of security descriptors not including the primary security descriptor.
[in, out] pReply
A pointer to an AUTHZ_ACCESS_REPLY structure that contains the results of the access check. Before calling the AuthzAccessCheck function, an application must allocate memory for the GrantedAccessMask and SaclEvaluationResults members of the AUTHZ_ACCESS_REPLY structure referenced by pReply.
[out, optional] phAccessCheckResults
A pointer to return a handle to the cached results of the access check. When this parameter value is not null, the results of this access check call will be cached. This results in a MAXIMUM_ALLOWED check.
Starting with Windows 8 and Windows Server 2012, when you use this function with a remote context handle, the value of the parameter must be NULL.
Return value
If the function succeeds, the function returns TRUE.
If the function fails, it returns FALSE. To get extended error information, call GetLastError.
Remarks
The AuthzAccessCheckCallback callback function will be called if the DACL of the SECURITY_DESCRIPTOR structure pointed to by the pSecurityDescriptor parameter contains a callback access control entry (ACE).
Security attribute variables must be present in the client context if referred to in a conditional expression, otherwise the conditional expression term referencing them will evaluate to unknown. For more information, see the Security Descriptor Definition Language for Conditional ACEs topic.
For more information, see the How AccessCheck Works and Centralized Authorization Policy overviews.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows XP [desktop apps only] |
| Minimum supported server | Windows Server 2003 [desktop apps only] |
| Target Platform | Windows |
| Header | authz.h |
| Library | Authz.lib |
| DLL | Authz.dll |
| Redistributable | Windows Server 2003 Administration Tools Pack on Windows XP |
See also
Basic Access Control Functions
Centralized Authorization Policy
Security Descriptor Definition Language for Conditional ACEs
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for