[This is preliminary documentation and subject to change.]
The AccessCheckByType function determines whether a security descriptor grants a specified set of access rights to the client identified by an access token. The function can check the client's access to a hierarchy of objects, such as an object, its property sets, and properties. The function grants or denies access to the hierarchy as a whole. Typically, server applications use this function to check access to a private object.
BOOL AccessCheckByType(
PSECURITY_DESCRIPTOR pSecurityDescriptor, // security descriptor
PSID PrincipalSelfSid, // SID of object being checked
HANDLE ClientToken, // handle to client access token
DWORD DesiredAccess, // requested access rights
POBJECT_TYPE_LIST ObjectTypeList, // array of object types
DWORD ObjectTypeListLength, // number of object type elements
PGENERIC_MAPPING GenericMapping, // map generic to specific rights
PPRIVILEGE_SET PrivilegeSet, // receives privileges used
LPDWORD PrivilegeSetLength, // size of privilege-set buffer
LPDWORD GrantedAccess, // retrieves mask of granted rights
LPBOOL AccessStatus // retrieves results of access check
);
This parameter should be NULL if the protected object does not represent a principal.
If this parameter is MAXIMUM_ALLOWED, the function sets the GrantedAccess access mask to indicate the maximum access rights the security descriptor allows the client.
The array must have at least one element. The first element in the array must be at level zero and identify the object itself. The array can have only one level zero element. The second element is a subobject, such as a property set, at level 1. Following each level 1 entry are subordinate entries for the level 2 through 4 subobjects. Thus, the levels for the elements in the array might be {0, 1, 2, 2, 1, 2, 3}. If the object type list is out of order, AccessCheckByType fails and GetLastError returns ERROR_INVALID_PARAMETER.
If ObjectTypeList is NULL, AccessCheckByType is the same as the AccessCheck function.
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
The AccessCheckByType function compares the specified security descriptor with the specified access token and indicates, in the AccessStatus parameter, whether access is granted or denied.
The ObjectTypeList array does not necessarily represent the entire defined object. Rather, it represents that subset of the object for which to check access. For instance, to check access to two properties in a property set, specify an object type list with four elements: the object itself at level zero, the property set at level 1, and the two properties at level 2.
The AccessCheckByType function evaluates ACEs that apply to the object itself and object-specific ACEs for the object types listed in the ObjectTypeList array. The function ignores object-specific ACEs for object types not listed in the ObjectTypeList array. Thus, the results returned in the AccessStatus parameter indicate the access allowed to the subset of the object defined by the ObjectTypeList parameter, not to the entire object.
For more information about how a hierarchy of ACEs controls access to an object and its subobjects, see Controlling Access to an Object's Properties.
If the security descriptor's DACL is NULL, the AccessStatus parameter returns TRUE, indicating that the client has the requested access.
If the security descriptor does not contain owner and group SIDs, AccessCheckByType fails with ERROR_INVALID_SECURITY_DESCR.
Windows NT: Requires version 5.0 or later.
Windows: Unsupported.
Windows CE: Unsupported.
Header: Declared in winbase.h.
Import Library: Use advapi32.lib.
Client/Server Access Control Overview, Client/Server Access Control Functions, AccessCheck, AccessCheckAndAuditAlarm, AccessCheckByTypeAndAuditAlarm, AccessCheckByTypeResultList, AccessCheckByTypeResultListAndAuditAlarm, GENERIC_MAPPING, MapGenericMask, PRIVILEGE_SET, SECURITY_DESCRIPTOR