MDAC 2.5 SDK - Technical Articles


 

Appendix: IObjectAccessControl vs. IAccessControl

In COM security, IAccessControl is usually implemented on the object whose access control is being governed. This does not work for OLE DB interfaces. Access control in OLE DB is applied to elements such as tables, columns, and procedures, which are not actual COM objects. OLE DB uses a new interface, IObjectAccessControl, which supports applying security to objects that are not COM objects. The IObjectAccessControl interface is generic enough that it can be applied to other types of security scenarios.

IAccessControl uses an ACTRL_ACCESS structure to represent the access being set or retrieved. In contrast, IObjectAccessControl uses the EXPLICIT_ACCESS structure defined by the Platform SDK security system because it is simpler and provides all the necessary functionality.

The following table shows how IAccessControl methods relate to IObjectAccessControl methods.

IAccessControl (COM) IObjectAccessControl (OLE DB)
GrantAccessRights SetObjectAccessRights
with grfAccessMode = GRANT_ACCESS
SetAccessRights SetObjectAccessRights
with grfAccessMode = SET_ACCESS
SetOwner SetObjectOwner
RevokeAccessRights SetObjectAccessRights
with grfAccessMode = REVOKE_ACCESS
GetAllAccessRights GetObjectAccessRights
IsAccessAllowed IsObjectAccessAllowed

The following table shows how the ACCESS_MASK permission values defined in COM relate to the security bits defined in OLE DB.

OLE ACCESS_MASK Bit OLE DB Security Bit
0–15   Object Specific 9    PERM_EXCLUSIVE

10   PERM_READDESIGN

11   PERM_WRITEDESIGN

12   PERM_WITHGRANT

13   PERM_REFERENCE

14   PERM_CREATE

15   PERM_INSERT

16   DELETE 16   PERM_DELETE
17   READ_CONTROL 17   PERM_READCONTROL
18   WRITE_DAC 18   PERM_WRITEPERMISSIONS
19   WRITE_OWNER 19   PERM_WRITEOWNER
20   SYNCHRONIZE N/A
24   ACCESS_SYSTEM_SECURITY N/A
25   MAXIMUM_ALLOWED 25   PERM_MAXIMUM_ALLOWED
26–27   Reserved N/A
28   GENERIC_ALL 28   PERM_ALL
29   GENERIC_EXECUTE 29   PERM_EXECUTE
30   GENERIC_WRITE 30   PERM_WRITE
31   GENERIC_READ 31   PERM_READ