Authorization Functions (Authorization)

The following functions are used with authorization applications.

In this section

Topic Description
AccessCheck
Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token.
AccessCheckAndAuditAlarm
Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread.
AccessCheckByType
Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token.
AccessCheckByTypeAndAuditAlarm
Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread.
AccessCheckByTypeResultList
Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token.
DeriveCapabilitySidsFromName
This function constructs two arrays of SIDs out of a capability name. One is an array group SID with NT Authority, and the other is an array of capability SIDs with AppAuthority.
AccessCheckByTypeResultListAndAuditAlarm
Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread.
AccessCheckByTypeResultListAndAuditAlarmByHandle
Determines whether a security descriptor grants a specified set of access rights to the client that the calling thread is impersonating.
AddAccessAllowedAce
Adds an access-allowed access control entry (ACE) to an access control list (ACL). The access is granted to a specified security identifier (SID).
AddAccessAllowedAceEx
Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL).
AddAccessAllowedObjectAce
Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL).
AddAccessDeniedAce
Adds an access-denied access control entry (ACE) to an access control list (ACL). The access is denied to a specified security identifier (SID).
AddAccessDeniedAceEx
Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL).
AddAccessDeniedObjectAce
Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL). The new ACE can deny access to an object, or to a property set or property on an object.
AddAce
Adds one or more access control entries (ACEs) to a specified access control list (ACL).
AddAuditAccessAce
Adds a system-audit access control entry (ACE) to a system access control list (ACL). The access of a specified security identifier (SID) is audited.
AddAuditAccessAceEx
Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL).
AddAuditAccessObjectAce
Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL).
AddConditionalAce
Adds a conditional access control entry (ACE) to the specified access control list (ACL).
AddMandatoryAce
Adds a SYSTEM_MANDATORY_LABEL_ACE access control entry (ACE) to the specified system access control list (SACL).
AddResourceAttributeAce
Adds a SYSTEM_RESOURCE_ATTRIBUTE_ACEaccess control entry (ACE) to the end of a system access control list (SACL).
AddScopedPolicyIDAce
Adds a SYSTEM_SCOPED_POLICY_ID_ACEaccess control entry (ACE) to the end of a system access control list (SACL).
AdjustTokenGroups
Enables or disables groups already present in the specified access token. Access to TOKEN_ADJUST_GROUPS is required to enable or disable groups in an access token.
AdjustTokenPrivileges
Enables or disables privileges in the specified access token. Enabling or disabling privileges in an access token requires TOKEN_ADJUST_PRIVILEGES access.
AllocateAndInitializeSid
Allocates and initializes a security identifier (SID) with up to eight subauthorities.
AllocateLocallyUniqueId
Allocates a locally unique identifier (LUID).
AreAllAccessesGranted
Checks whether a set of requested access rights has been granted. The access rights are represented as bit flags in an access mask.
AreAnyAccessesGranted
Tests whether any of a set of requested access rights has been granted. The access rights are represented as bit flags in an access mask.
AuditComputeEffectivePolicyBySid
Computes the effective audit policy for one or more subcategories for the specified security principal. The function computes effective audit policy by combining system audit policy with per-user policy.
AuditComputeEffectivePolicyByToken
Computes the effective audit policy for one or more subcategories for the security principal associated with the specified token. The function computes effective audit policy by combining system audit policy with per-user policy.
AuditEnumerateCategories
Enumerates the available audit-policy categories.
AuditEnumeratePerUserPolicy
Enumerates users for whom per-user auditing policy is specified.
AuditEnumerateSubCategories
Enumerates the available audit-policy subcategories.
AuditFree
Frees the memory allocated by audit functions for the specified buffer.
AuditLookupCategoryGuidFromCategoryId
Retrieves a GUID structure that represents the specified audit-policy category.
AuditLookupCategoryIdFromCategoryGuid
Retrieves an element of the POLICY_AUDIT_EVENT_TYPE enumeration that represents the specified audit-policy category.
AuditLookupCategoryName
Retrieves the display name of the specified audit-policy category.
AuditLookupSubCategoryName
Retrieves the display name of the specified audit-policy subcategory.
AuditQueryGlobalSacl
retrieves a global system access control list (SACL) that delegates access to the audit messages.
AuditQueryPerUserPolicy
Retrieves per-user audit policy in one or more audit-policy subcategories for the specified principal.
AuditQuerySecurity
Retrieves security descriptor that delegates access to audit policy.
AuditQuerySystemPolicy
Retrieves system audit policy for one or more audit-policy subcategories.
AuditSetGlobalSacl
sets a global system access control list (SACL) that delegates access to the audit messages.
AuditSetPerUserPolicy
Sets per-user audit policy in one or more audit subcategories for the specified principal.
AuditSetSecurity
Sets a security descriptor that delegates access to audit policy.
AuditSetSystemPolicy
Sets system audit policy for one or more audit-policy subcategories.
AuthzAccessCheck
Determines which access bits can be granted to a client for a given set of security descriptors.
AuthzAccessCheckCallback
An application-defined function that handles callback access control entries (ACEs) during an access check. AuthzAccessCheckCallback is a placeholder for the application-defined function name. The application registers this callback by calling AuthzInitializeResourceManager.
AuthzAddSidsToContext
Creates a copy of an existing context and appends a given set of security identifiers (SIDs) and restricted SIDs.
AuthzCachedAccessCheck
Performs a fast access check based on a cached handle containing the static granted bits from a previous AuthzAccessCheck call.
AuthzComputeGroupsCallback
An application-defined function that creates a list of security identifiers (SIDs) that apply to a client. AuthzComputeGroupsCallback is a placeholder for the application-defined function name.
AuthzEnumerateSecurityEventSources
Retrieves the registered security event sources that are not installed by default.
AuthzFreeAuditEvent
Frees the structure allocated by the AuthzInitializeObjectAccessAuditEvent function.
AuthzFreeCentralAccessPolicyCache
Decreases the CAP cache reference count by one so that the CAP cache can be deallocated.
AuthzFreeCentralAccessPolicyCallback
The AuthzFreeCentralAccessPolicyCallback function is an application-defined function that frees memory allocated by the AuthzGetCentralAccessPolicyCallback function. AuthzFreeCentralAccessPolicyCallback is a placeholder for the application-defined function name.
AuthzFreeContext
Frees all structures and memory associated with the client context. The list of handles for a client is freed in this call.
AuthzFreeGroupsCallback
An application-defined function that frees memory allocated by the AuthzComputeGroupsCallback function. AuthzFreeGroupsCallback is a placeholder for the application-defined function name.
AuthzFreeHandle
Finds and deletes a handle from the handle list.
AuthzFreeResourceManager
Frees a resource manager object.
AuthzGetCentralAccessPolicyCallback
The AuthzGetCentralAccessPolicyCallback function is an application-defined function that retrieves the central access policy. AuthzGetCentralAccessPolicyCallback is a placeholder for the application-defined function name.
AuthzGetInformationFromContext
Returns information about an Authz context.
AuthzInitializeCompoundContext
creates a user-mode context from the given user and device security contexts.
AuthzInitializeContextFromAuthzContext
Creates a new client context based on an existing client context.
AuthzInitializeContextFromSid
Creates a user-mode client context from a user security identifier (SID).
AuthzInitializeContextFromToken
Initializes a client authorization context from a kernel token. The kernel token must have been opened for TOKEN_QUERY.
AuthzInitializeObjectAccessAuditEvent
Initializes auditing for an object.
AuthzInitializeObjectAccessAuditEvent2
Allocates and initializes an AUTHZ_AUDIT_EVENT_HANDLE handle for use with the AuthzAccessCheck function.
AuthzInitializeRemoteResourceManager
Allocates and initializes a remote resource manager. The caller can use the resulting handle to make RPC calls to a remote instance of the resource manager configured on a server.
AuthzInitializeResourceManager
Uses Authz to verify that clients have access to various resources.
AuthzInitializeResourceManagerEx
Allocates and initializes a resource manager structure.
AuthzInstallSecurityEventSource
Installs the specified source as a security event source.
AuthzModifyClaims
Adds, deletes, or modifies user and device claims in the Authz client context.
AuthzModifySecurityAttributes
Modifies the security attribute information in the specified client context.
AuthzModifySids
Adds, deletes, or modifies user and device groups in the Authz client context.
AuthzOpenObjectAudit
Reads the system access control list (SACL) of the specified security descriptor and generates any appropriate audits specified by that SACL.
AuthzRegisterCapChangeNotification
Registers a CAP update notification callback.
AuthzRegisterSecurityEventSource
Registers a security event source with the Local Security Authority (LSA).
AuthzReportSecurityEvent
Generates a security audit for a registered security event source.
AuthzReportSecurityEventFromParams
Generates a security audit for a registered security event source by using the specified array of audit parameters.
AuthzSetAppContainerInformation
Sets the app container and capability information in a current Authz context.
AuthzUninstallSecurityEventSource
Removes the specified source from the list of valid security event sources.
AuthzUnregisterCapChangeNotification
Removes a previously registered CAP update notification callback.
AuthzUnregisterSecurityEventSource
Unregisters a security event source with the Local Security Authority (LSA).
BuildExplicitAccessWithName
Initializes an EXPLICIT_ACCESS structure with data specified by the caller. The trustee is identified by a name string.
BuildImpersonateExplicitAccessWithName
The BuildImpersonateExplicitAccessWithName function is not supported.
BuildImpersonateTrustee
The BuildImpersonateTrustee function is not supported.
BuildSecurityDescriptor
Allocates and initializes a new security descriptor.
BuildTrusteeWithName
Initializes a TRUSTEE structure. The caller specifies the trustee name. The function sets other members of the structure to default values.
BuildTrusteeWithObjectsAndName
Initializes a TRUSTEE structure with the object-specific access control entry (ACE) information and initializes the remaining members of the structure to default values. The caller also specifies the name of the trustee.
BuildTrusteeWithObjectsAndSid
Initializes a TRUSTEE structure with the object-specific access control entry (ACE) information and initializes the remaining members of the structure to default values. The caller also specifies the SID structure that represents the security identifier of the trustee.
BuildTrusteeWithSid
Initializes a TRUSTEE structure. The caller specifies the security identifier (SID) of the trustee. The function sets other members of the structure to default values and does not look up the name associated with the SID.
CheckTokenCapability
Checks the capabilities of a given token.
CheckTokenMembership
Determines whether a specified security identifier (SID) is enabled in an access token.
CheckTokenMembershipEx
Determines whether the specified SID is enabled in the specified token.
ConvertSecurityDescriptorToStringSecurityDescriptor
Converts a security descriptor to a string format. You can use the string format to store or transmit the security descriptor.
ConvertSidToStringSid
Converts a security identifier (SID) to a string format suitable for display, storage, or transmission.
ConvertStringSecurityDescriptorToSecurityDescriptor
Converts a string-format security descriptor into a valid, functional security descriptor.
ConvertStringSidToSid
Converts a string-format security identifier (SID) into a valid, functional SID. You can use this function to retrieve a SID that the ConvertSidToStringSid function converted to string format.
ConvertToAutoInheritPrivateObjectSecurity
Converts a security descriptor and its access control lists (ACLs) to a format that supports automatic propagation of inheritable access control entries (ACEs).
CopySid
Copies a security identifier (SID) to a buffer.
CreatePrivateObjectSecurity
Allocates and initializes a self-relative security descriptor for a new private object. A protected server calls this function when it creates a new private object.
CreatePrivateObjectSecurityEx
Allocates and initializes a self-relative security descriptor for a new private object created by the resource manager calling this function.
CreatePrivateObjectSecurityWithMultipleInheritance
Allocates and initializes a self-relative security descriptor for a new private object created by the resource manager calling this function.
CreateRestrictedToken
Creates a new access token that is a restricted version of an existing access token. The restricted token can have disabled security identifiers (SIDs), deleted privileges, and a list of restricting SIDs.
CreateSecurityPage
Creates a basic security property page that enables the user to view and edit the access rights allowed or denied by the access control entries (ACEs) in an object's discretionary access control list (DACL).
CreateWellKnownSid
Creates a SID for predefined aliases.
DeleteAce
Deletes an access control entry (ACE) from an access control list (ACL).
DestroyPrivateObjectSecurity
Deletes a private object's security descriptor.
DSCreateSecurityPage
Creates a security property page for an Active Directory object.
DSCreateISecurityInfoObject
Creates an instance of the ISecurityInformation interface associated with the specified directory service (DS) object.
DSCreateISecurityInfoObjectEx
Creates an instance of the ISecurityInformation interface associated with the specified directory service (DS) object on the specified server.
DSEditSecurity
Displays a modal dialog box for editing security on a Directory Services (DS) object.
DuplicateToken
Creates a new access token that duplicates one already in existence.
DuplicateTokenEx
Creates a new access token that duplicates an existing token. This function can create either a primary token or an impersonation token.
EditSecurity
Displays a property sheet that contains a basic security property page. This property page enables the user to view and edit the access rights allowed or denied by the ACEs in an object's DACL.
EditSecurityAdvanced
Extends the EditSecurity function to include the security page type when displaying the property sheet that contains a basic security property page.
EqualDomainSid
Determines whether two SIDs are from the same domain.
EqualPrefixSid
Tests two security-identifier (SID) prefix values for equality. A SID prefix is the entire SID except for the last subauthority value.
EqualSid
Tests two security identifier (SID) values for equality. Two SIDs must match exactly to be considered equal.
FindFirstFreeAce
Retrieves a pointer to the first free byte in an access control list (ACL).
FreeInheritedFromArray
Frees memory allocated by the GetInheritanceSource function.
FreeSid
Frees a security identifier (SID) previously allocated by using the AllocateAndInitializeSid function.
GetAce
Obtains a pointer to an access control entry (ACE) in an access control list (ACL).
GetAclInformation
Retrieves information about an access control list (ACL).
GetAppContainerNamedObjectPath
Retrieves the named object path for the app container.
GetAuditedPermissionsFromAcl
Retrieves the audited access rights for a specified trustee.
GetCurrentProcessToken
Retrieves a pseudo-handle that you can use as a shorthand way to refer to the access token associated with a process.
GetCurrentThreadEffectiveToken
Retrieves a pseudo-handle that you can use as a shorthand way to refer to the token that is currently in effect for the thread, which is the thread token if one exists and the process token otherwise.
GetCurrentThreadToken
Retrieves a pseudo-handle that you can use as a shorthand way to refer to the impersonation token that was assigned to the current thread.
GetEffectiveRightsFromAcl
Retrieves the effective access rights that an ACL structure grants to a specified trustee. The trustee's effective access rights are the access rights that the ACL grants to the trustee or to any groups of which the trustee is a member.
GetExplicitEntriesFromAcl
Retrieves an array of structures that describe the access control entries (ACEs) in an access control list (ACL).
GetFileSecurity
Obtains specified information about the security of a file or directory. The information obtained is constrained by the caller's access rights and privileges.
GetInheritanceSource
Returns information about the source of inherited access control entries (ACEs) in an access control list (ACL).
GetKernelObjectSecurity
Retrieves a copy of the security descriptor that protects a kernel object.
GetLengthSid
Returns the length, in bytes, of a valid security identifier (SID).
GetMultipleTrustee
The GetMultipleTrustee function is not supported.
GetMultipleTrusteeOperation
The GetMultipleTrusteeOperation function is not supported.
GetNamedSecurityInfo
Retrieves a copy of the security descriptor for an object specified by name.
GetPrivateObjectSecurity
Retrieves information from a private object's security descriptor.
GetSecurityDescriptorControl
Retrieves a security descriptor control and revision information.
GetSecurityDescriptorDacl
Retrieves a pointer to the discretionary access control list (DACL) in a specified security descriptor.
GetSecurityDescriptorGroup
Retrieves the primary group information from a security descriptor.
GetSecurityDescriptorLength
Returns the length, in bytes, of a structurally valid security descriptor. The length includes the length of all associated structures.
GetSecurityDescriptorOwner
Retrieves the owner information from a security descriptor.
GetSecurityDescriptorRMControl
Retrieves the resource manager control bits.
GetSecurityDescriptorSacl
Retrieves a pointer to the system access control list (SACL) in a specified security descriptor.
GetSecurityInfo
Retrieves a copy of the security descriptor for an object specified by a handle.
GetSidIdentifierAuthority
Returns a pointer to the SID_IDENTIFIER_AUTHORITY structure in a specified security identifier (SID).
GetSidLengthRequired
Returns the length, in bytes, of the buffer required to store a SID with a specified number of subauthorities.
GetSidSubAuthority
Returns a pointer to a specified subauthority in a security identifier (SID). The subauthority value is a relative identifier (RID).
GetSidSubAuthorityCount
Returns a pointer to the member in a security identifier (SID) structure that contains the subauthority count.
GetTenantRestrictionsHostnames Returns a list of hostnames (e.g. foo.com) and subdomainSupportedHostnames (e.g. .bar.com) to the caller to apply Tenant Restrictions to those endpoints.
GetTokenInformation
Retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.
GetTrusteeForm
Retrieves the trustee name from the specified TRUSTEE structure. This value indicates whether the structure uses a name string or a security identifier (SID) to identify the trustee.
GetTrusteeName
Retrieves the trustee name from the specified TRUSTEE structure.
GetTrusteeType
Retrieves the trustee type from the specified TRUSTEE structure. This value indicates whether the trustee is a user, a group, or the trustee type is unknown.
GetUserObjectSecurity
Retrieves security information for the specified user object.
GetWindowsAccountDomainSid
Receives a security identifier (SID) and returns a SID representing the domain of that SID.
ImpersonateAnonymousToken
Enables the specified thread to impersonate the system's anonymous logon token.
ImpersonateLoggedOnUser
Lets the calling thread impersonate the security context of a logged-on user. The user is represented by a token handle.
ImpersonateNamedPipeClient
Impersonates a named-pipe client application.
ImpersonateSelf
Obtains an access token that impersonates the security context of the calling process. The token is assigned to the calling thread.
InitializeAcl
Initializes a new ACL structure.
InitializeSecurityDescriptor
Initializes a new security descriptor.
InitializeSid
Initializes a security identifier (SID).
IsTokenRestricted
Indicates whether a token contains a list of restricted security identifiers (SIDs).
IsValidAcl
Validates an access control list (ACL).
IsValidSecurityDescriptor
Determines whether the components of a security descriptor are valid.
IsValidSid
Validates a security identifier (SID) by verifying that the revision number is within a known range, and that the number of subauthorities is less than the maximum.
IsWellKnownSid
Compares a SID to a well-known SID and returns TRUE if they match.
LookupAccountName
Accepts the name of a system and an account as input. It retrieves a security identifier (SID) for the account and the name of the domain on which the account was found.
LookupAccountSid
Accepts a security identifier (SID) as input. It retrieves the name of the account for this SID and the name of the first domain on which this SID is found.
LookupAccountSidLocal
Retrieves the name of the account for the specified SID on the local machine.
LookupPrivilegeDisplayName
Retrieves the display name that represents a specified privilege.
LookupPrivilegeName
Retrieves the name that corresponds to the privilege represented on a specific system by a specified locally unique identifier (LUID).
LookupPrivilegeValue
Retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name.
LookupSecurityDescriptorParts
Retrieves security information from a self-relative security descriptor.
MakeAbsoluteSD
Creates a security descriptor in absolute format by using a security descriptor in self-relative format as a template.
MakeSelfRelativeSD
Creates a security descriptor in self-relative format by using a security descriptor in absolute format as a template.
MapGenericMask
Maps the generic access rights in an access mask to specific and standard access rights. The function applies a mapping supplied in a GENERIC_MAPPING structure.
NtCompareTokens
Compares two access tokens and determines whether they are equivalent with respect to a call to the AccessCheck function.
NtCreateLowBoxToken Creates a lowbox token object based on an existing access token.
ObjectCloseAuditAlarm
Generates an audit message in the security event log when a handle to a private object is deleted.
ObjectDeleteAuditAlarm
Generates audit messages when an object is deleted.
ObjectOpenAuditAlarm
Generates audit messages when a client application attempts to gain access to an object or to create a new one.
ObjectPrivilegeAuditAlarm
Generates an audit message in the security event log.
OpenProcessToken
Opens the access token associated with a process.
OpenThreadToken
Opens the access token associated with a thread.
PrivilegeCheck
Determines whether a specified set of privileges are enabled in an access token.
PrivilegedServiceAuditAlarm
Generates an audit message in the security event log.
QuerySecurityAccessMask
Creates an access mask that represents the access permissions necessary to query the specified object security information.
QueryServiceObjectSecurity
Retrieves a copy of the security descriptor associated with a service object.
RegGetKeySecurity
Retrieves a copy of the security descriptor protecting the specified open registry key.
RegSetKeySecurity
Sets the security of an open registry key.
RevertToSelf
Terminates the impersonation of a client application.
RtlConvertSidToUnicodeString
Converts a security identifier (SID) to its Unicode character representation.
SetAclInformation
Sets information about an access control list (ACL).
SetEntriesInAcl
Creates a new access control list (ACL) by merging new access control or audit control information into an existing ACL structure.
SetFileSecurity
Sets the security of a file or directory object.
SetKernelObjectSecurity
Sets the security of a kernel object.
SetNamedSecurityInfo
Sets specified security information in the security descriptor of a specified object.
SetPrivateObjectSecurity
Modifies a private object's security descriptor.
SetPrivateObjectSecurityEx
Modifies the security descriptor of a private object maintained by the resource manager calling this function.
SetSecurityAccessMask
Creates an access mask that represents the access permissions necessary to set the specified object security information.
SetSecurityDescriptorControl
Sets the control bits of a security descriptor. The function can set only the control bits that relate to automatic inheritance of ACEs.
SetSecurityDescriptorDacl
Sets information in a discretionary access control list (DACL). If a DACL is already present in the security descriptor, the DACL is replaced.
SetSecurityDescriptorGroup
Sets the primary group information of an absolute-format security descriptor, replacing any primary group information already present in the security descriptor.
SetSecurityDescriptorOwner
Sets the owner information of an absolute-format security descriptor. It replaces any owner information already present in the security descriptor.
SetSecurityDescriptorRMControl
Sets the resource manager control bits in the SECURITY_DESCRIPTOR structure.
SetSecurityDescriptorSacl
Sets information in a system access control list (SACL). If there is already a SACL present in the security descriptor, it is replaced.
SetSecurityInfo
Sets specified security information in the security descriptor of a specified object. The caller identifies the object by a handle.
SetServiceObjectSecurity
Sets the security descriptor of a service object.
SetThreadToken
Assigns an impersonation token to a thread. The function can also cause a thread to stop using an impersonation token.
SetTokenInformation
Sets various types of information for a specified access token.
SetUserObjectSecurity
Sets the security of a user object. This can be, for example, a window or a DDE conversation.
TreeResetNamedSecurityInfo
Resets specified security information in the security descriptor of a specified tree of objects.
TreeSetNamedSecurityInfo
Sets specified security information in the security descriptor of a specified tree of objects.

Authorization functions are categorized according to usage as follows.

Basic Access Control Functions

The following functions are used with access tokens.

Access Control Editor Functions

The following functions are used with the access control editor.

Client/Server Access Control Functions

The following functions are used by servers to impersonate clients.

Low-level Access Control Functions

The following low-level functions are used to manipulate security descriptors.

Audit Policy Functions