[This is preliminary documentation and subject to change.]
The AccessCheckByTypeResultListAndAuditAlarm function determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. The function can check access to a hierarchy of objects, such as an object, its property sets, and properties. The function reports the access rights granted or denied to each object type in the hierarchy. If the security descriptor has a SACL with ACEs that apply to the client, the function generates any necessary audit messages in the security event log. Alarms are not supported in the current version of Windows NT.
BOOL AccessCheckByTypeResultListAndAuditAlarm(
LPCTSTR SubsystemName, // subsystem name
LPVOID HandleId, // object's handle identifier
LPCTSTR ObjectTypeName, // type of object
LPCTSTR ObjectName, // name of object
PSECURITY_DESCRIPTOR pSecurityDescriptor, // security descriptor
PSID PrincipalSelfSid, // SID of object being checked
DWORD DesiredAccess, // requested access rights
AUDIT_EVENT_TYPE AuditType, // type of audit
DWORD Flags, // allows access check if no audit privilege
POBJECT_TYPE_LIST ObjectTypeList, // array of object types
DWORD ObjectTypeListLength, // number of object type elements
PGENERIC_MAPPING GenericMapping, // map generic to specific rights
BOOL ObjectCreation, // flag is TRUE if creating an object
LPDWORD GrantedAccessList, // retrieves array of granted rights
LPDWORD AccessStatusList, // retrieves array of results flags
LPBOOL pfGenerateOnClose // retrieves flag for audit generation
);
This parameter should be NULL if the protected object does not represent a principal.
If this parameter is MAXIMUM_ALLOWED, the function sets the access masks in the GrantedAccessList to indicate the maximum access rights the security descriptor allows the client.
The array must have at least one element. The first element in the array must be at level zero and identify the object itself. The array can have only one level zero element. The second element is a subobject, such as a property set, at level 1. Following each level 1 entry are subordinate entries for the level 2 through 4 subobjects. Thus, the levels for the elements in the array might be {0, 1, 2, 2, 1, 2, 3}. If the object type list is out of order, AccessCheckByTypeResultListAndAuditAlarm fails, and GetLastError returns ERROR_INVALID_PARAMETER.
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
The AccessCheckByTypeResultListAndAuditAlarm function is a combination of the AccessCheckByTypeResultList and AccessCheckAndAuditAlarm functions.
The AccessStatusList parameter returns several success or failure status results. Thus, it is possible for a single AccessCheckByTypeResultListAndAuditAlarm call to generate both success and failure audit messages in the security event log.
The ObjectTypeList array does not necessarily represent the entire defined object. Rather, it represents that subset of the object for which to check access. For instance, to check access to two properties in a property set, specify an object type list with four elements: the object itself at level zero, the property set at level 1, and the two properties at level 2.
The AccessCheckByTypeResultListAndAuditAlarm function evaluates ACEs that apply to the object itself and object-specific ACEs for the object types listed in the ObjectTypeList array. The function ignores object-specific ACEs for object types not listed in the ObjectTypeList array.
For more information about how a hierarchy of ACEs controls access to an object and its subobjects, see Controlling Access to an Object's Properties.
To generate audit messages in the security event log, the calling process must have the SE_AUDIT_NAME privilege enabled. The system checks for this privilege in the primary token of the calling process, not the impersonation token of the thread. If the Flags parameter includes the AUDIT_ALLOW_NO_PRIVILEGE flag, the function performs the access check without generating audit messages when the privilege is not enabled.
The AccessCheckByTypeResultListAndAuditAlarm function fails if the calling thread is not impersonating a client.
If the security descriptor does not contain owner and group SIDs, AccessCheckByTypeResultListAndAuditAlarm fails with ERROR_INVALID_SECURITY_DESCR.
Windows NT: Requires version 5.0 or later.
Windows: Unsupported.
Windows CE: Unsupported.
Header: Declared in winbase.h.
Import Library: Use advapi32.lib.
Unicode: Implemented as Unicode and ANSI versions on Windows NT.
Client/Server Access Control Overview, Client/Server Access Control Functions, AccessCheck, AccessCheckAndAuditAlarm, AccessCheckByType, AccessCheckByTypeResultList, AccessCheckByTypeResultListAndAuditAlarm, GENERIC_MAPPING, MapGenericMask, PRIVILEGE_SET, SECURITY_DESCRIPTOR