Appendix: IObjectAccessControl vs. IAccessControl

In COM security, IAccessControl is usually implemented on the object whose access control is being governed. This does not work for OLE DB interfaces. Access control in OLE DB is applied to elements such as tables, columns, and procedures, which are not actual COM objects. OLE DB uses a new interface, IObjectAccessControl, which supports applying security to objects that are not COM objects. The IObjectAccessControl interface is generic enough that it can be applied to other types of security scenarios.

IAccessControl uses an ACTRL_ACCESS structure to represent the access being set or retrieved. In contrast, IObjectAccessControl uses the EXPLICIT_ACCESS structure defined by the Platform SDK security system because it is simpler and provides all the necessary functionality.

The following table shows how IAccessControl methods relate to IObjectAccessControl methods.

IAccessControl (COM)	IObjectAccessControl (OLE DB)
GrantAccessRights	SetObjectAccessRights with grfAccessMode = GRANT_ACCESS
SetAccessRights	SetObjectAccessRights with grfAccessMode = SET_ACCESS
SetOwner	SetObjectOwner
RevokeAccessRights	SetObjectAccessRights with grfAccessMode = REVOKE_ACCESS
GetAllAccessRights	GetObjectAccessRights
IsAccessAllowed	IsObjectAccessAllowed

The following table shows how the ACCESS_MASK permission values defined in COM relate to the security bits defined in OLE DB.

OLE ACCESS_MASK Bit	OLE DB Security Bit
0–15 Object Specific	9 PERM_EXCLUSIVE 10 PERM_READDESIGN 11 PERM_WRITEDESIGN 12 PERM_WITHGRANT 13 PERM_REFERENCE 14 PERM_CREATE 15 PERM_INSERT
16 DELETE	16 PERM_DELETE
17 READ_CONTROL	17 PERM_READCONTROL
18 WRITE_DAC	18 PERM_WRITEPERMISSIONS
19 WRITE_OWNER	19 PERM_WRITEOWNER
20 SYNCHRONIZE	N/A
24 ACCESS_SYSTEM_SECURITY	N/A
25 MAXIMUM_ALLOWED	25 PERM_MAXIMUM_ALLOWED
26–27 Reserved	N/A
28 GENERIC_ALL	28 PERM_ALL
29 GENERIC_EXECUTE	29 PERM_EXECUTE
30 GENERIC_WRITE	30 PERM_WRITE
31 GENERIC_READ	31 PERM_READ