AccessCheck

  BOOL AccessCheck(SecurityDescriptor, ClientToken, DesiredAccess, GenericMapping, PrivilegeSet, PrivilegeSetLength, GrantedAccess, AccessStatus)    
  PSECURITY_DESCRIPTOR SecurityDescriptor;    
  HANDLE ClientToken;    
  DWORD DesiredAccess;    
  PGENERIC_MAPPING GenericMapping;    
  PPRIVILEGE_SET PrivilegeSet;    
  LPDWORD PrivilegeSetLength;    
  LPDWORD GrantedAccess;    
  LPBOOL AccessStatus;    

The AccessCheck function validates a client's desired access to an object against the access control associated with the object.

Parameters

SecurityDescriptor

Pointer to the security descriptor against which access is to be checked.

ClientToken

Handle to a token object representing a client attempting access.

This handle must be obtained from a communication session layer, such as from a named pipe, to prevent possible security policy violations.

DesiredAccess

The desired access mask. This mask must have been previously mapped to contain no generic accesses.

GenericMapping

Pointer to the generic mapping associated with the type of object being examined.

PrivilegeSet

A pointer to a buffer that upon return will contain any privileges that were used to perform the access validation. If no privileges were used, the buffer will contain a privilege set consisting of zero privileges.

PrivilegeSetLength

The size of the PrivilegeSet buffer in bytes.

GrantedAccess

Pointer to a variable that the function will fill, if the function is successful, with an access mask indicating which accesses were actually granted

AccessStatus

Receives an indication of the success or failure of the access check. If AccessStatus is TRUE, the caller has the desired access. If AccessStatus is FALSE, the caller does not have the desired access, and the GetLastError function can be used to obtain more detailed information.

Return Value

The return value is TRUE if the function was successful. Check the AccessStatus parameter for the result of the access check.

The return value is FALSE if an error occurred. To obtain extended error information, use the GetLastError function.

Comments

The function compares the input Security Descriptor against the input token and indicates by its return value if access is granted or denied. If access is granted then the desired access mask becomes the granted access mask for the object.

The semantics of the access check routine is described in the DSA Security Architecture workbook. Note that during an access check only the discretionary ACL is examined.

See Also

AccessCheckAndAuditAlarm, AreAllAccessesGranted, AreAnyAccessesGranted, MapGenericMask, ObjectCloseAuditAlarm, ObjectOpenAuditAlarm, ObjectPrivilegeAuditAlarm, PrivilegeCheck, PrivilegedServiceAuditAlarm