INFO: Determining the Maximum Allowed Access for an Object
ID: Q115945
|
The information in this article applies to:
-
Microsoft Win32 Application Programming Interface (API), used with:
-
Microsoft Windows NT versions 3.1, 3.5
-
Microsoft Windows 2000
SUMMARY
The AccessCheck() API call can be used to determine the maximum access to
an object allowed for a subject. (In this article, a subject means a
program running in a specific user's security context.) When using
AccessCheck() for this purpose, perform the following steps:
- Obtain a security descriptor that has owner, group, and DACL
information.
- If you are not impersonating a client, obtain an impersonation token by
calling ImpersonateSelf. This token is passed as the client token in the
AccessCheck() call.
- Create a generic mapping structure. The contents of this structure will
vary depending on the object being used.
- Call AccessCheck() and request "MAXIMUM_ALLOWED" as the desired access.
If the AccessCheck() call succeeds after the above steps have been
completed, the dwGrantedAccess parameter to AccessCheck() contains a
mask of the object-specific rights that are granted by the security
descriptor.
MORE INFORMATION
In most situations, you should not use this method of access determination.
If you need access to an object to perform a task, simply try to open the
object using the required access.
The AccessCheck() API is mainly intended for use with private objects
created by an application. However, it can be used with predefined objects.
The generic mapping values and specific rights for many of the predefined
objects (files and so forth) may be found in WINNT.H.
REFERENCES
Please see the Security Overview in the "Win32 Programmer's Reference" and
the "Win32 SDK API Reference" for more information.
Additional query words:
3.10 3.50
Keywords : kbAccCtrl kbKernBase kbWinOS2000 kbSecurity kbDSupport kbGrpKernBase
Version : winnt:3.1,3.5
Platform : winnt
Issue type : kbinfo