Professional Documents
Culture Documents
Kiến trúc Windows
Kiến trúc Windows
Authorization
About Authorization
Access Control
C2-level Security
Access Control Model
Parts of the Access Control Model
Access Tokens
Security Descriptors
Access Control Lists
Access Control Entries
Access Rights and Access Masks
Centralized Authorization Policy
Security Identifiers
How AccessCheck Works
Interaction Between Threads and Securable Objects
DACLs and ACEs
Null DACLs and Empty DACLs
Allowing Anonymous Access
Security Descriptor Definition Language
Security Descriptor String Format
Security Descriptor Definition Language for Conditional ACEs.
ACE Strings
SID Strings
Privileges
Audit Generation
Securable Objects
Low-level Access Control
Low-level Security Descriptor Functions
Low-level Security Descriptor Creation
Absolute and Self-Relative Security Descriptors
Low-level ACL and ACE Functions
Access Control Editor
Basic Security Property Page
Advanced Security Property Sheet
Permissions Property Page
Auditing Property Page
Owner Property Page
Client/Server Access Control
The Client Security Context
Client Impersonation
Impersonation Levels
Impersonation Tokens
Client Logon Sessions
Processes in the Client Security Context
Client Access to Network Resources
ACL-based Access Control
Security Descriptors for Private Objects
Checking Access to Private Objects
Auditing Access To Private Objects
Access Control for Application Resources
Role-based Access Control
Advantages of Role-based Authorization
Authorization Manager Model
Policy Stores, Applications, and Scopes
Users and Groups
Operations and Tasks
Roles
Business Rules
Collections
AppContainer for Legacy Applications
AppContainer Isolation
Implementing an AppContainer
Mandatory Integrity Control
User Account Control
Developing Applications that Require Administrator Privilege
Administrator Broker Model
Operating System Service Model
Elevated Task Model
Administrator COM Object Model
Using Authorization in C++
Defining Permissions in C++
Verifying Client Access to a Requested Resource in C++
Delegating the Defining of Permissions in C++
Supporting Tasks for Authorization in C++
Creating an Authorization Policy Store in C++
Creating an Authorization Policy Store Object in C++
Creating an Application Object in C++
Defining Operations in C++
Grouping Operations into Tasks in C++
Grouping Tasks into Roles in C++
Defining Groups of Users in C++
Adding Users to an Application Group in C++
Establishing a Client Context with Authorization Manager in C++
Qualifying Access with Business Logic in C++
Defining Permissions with ACLs in C++
Modifying the ACLs of an Object in C++
Creating a Security Descriptor for a New Object in C++
Controlling Child Object Creation in C++
Enabling and Disabling Privileges in C++
Establishing a Client Context from a SID in C++
Searching for a SID in an Access Token in C++
Converting a Binary SID to String Format in C++
Verifying Client Access with ACLs in C++
Finding the Owner of a File Object in C++
Taking Object Ownership in C++
Using Authorization in Script
Defining Permissions in Script
Verifying Client Access to a Requested Resource in Script
Delegating the Defining of Permissions in Script
Supporting Tasks for Authorization in Script
Creating an Authorization Policy Store in Script
Creating an Authorization Policy Store Object in Script
Creating an Application Object in Script
Defining Operations in Script
Grouping Operations into Tasks in Script
Grouping Tasks into Roles in Script
Defining Groups of Users in Script
Adding Users to an Application Group in Script
Establishing a Client Context in Script
Qualifying Access with Business Logic in Script
Using Authz API
Initializing a Client Context
Querying a Client Context
Adding SIDs to a Client Context
Checking Access with Authz API
Caching Access Checks
Authorization Reference
Authorization Constants
Account Rights Constants
App Container SID Constants
Auditing Constants
Capability SID Constants
Privilege Constants
Authorization Data Types
ACCESS_MASK
SECURITY_DESCRIPTOR_CONTROL
SECURITY_INFORMATION
Authorization Enumerations
ACCESS_MODE
ACL_INFORMATION_CLASS
AUDIT_EVENT_TYPE
AUDIT_PARAM_TYPE
AUTHZ_CONTEXT_INFORMATION_CLASS
AUTHZ_SECURITY_ATTRIBUTE_OPERATION
AUTHZ_SID_OPERATION
AZ_PROP_CONSTANTS
MANDATORY_LEVEL
MULTIPLE_TRUSTEE_OPERATION
PROG_INVOKE_SETTING
SE_OBJECT_TYPE
SECURITY_IMPERSONATION_LEVEL
SI_PAGE_TYPE
SID_NAME_USE
TOKEN_ELEVATION_TYPE
TOKEN_INFORMATION_CLASS
TOKEN_TYPE
TRUSTEE_FORM
TRUSTEE_TYPE
WELL_KNOWN_SID_TYPE
Authorization Functions
AccessCheck
AccessCheckAndAuditAlarm
AccessCheckByType
AccessCheckByTypeAndAuditAlarm
AccessCheckByTypeResultList
DeriveCapabilitySidsFromName
AccessCheckByTypeResultListAndAuditAlarm
AccessCheckByTypeResultListAndAuditAlarmByHandle
AddAccessAllowedAce
AddAccessAllowedAceEx
AddAccessAllowedObjectAce
AddAccessDeniedAce
AddAccessDeniedAceEx
AddAccessDeniedObjectAce
AddAce
AddAuditAccessAce
AddAuditAccessAceEx
AddAuditAccessObjectAce
AddConditionalAce
AddMandatoryAce
AddResourceAttributeAce
AddScopedPolicyIDAce
AdjustTokenGroups
AdjustTokenPrivileges
AllocateAndInitializeSid
AllocateLocallyUniqueId
AreAllAccessesGranted
AreAnyAccessesGranted
AuditComputeEffectivePolicyBySid
AuditComputeEffectivePolicyByToken
AuditEnumerateCategories
AuditEnumeratePerUserPolicy
AuditEnumerateSubCategories
AuditFree
AuditLookupCategoryGuidFromCategoryId
AuditLookupCategoryIdFromCategoryGuid
AuditLookupCategoryName
AuditLookupSubCategoryName
AuditQueryGlobalSacl
AuditQueryPerUserPolicy
AuditQuerySecurity
AuditQuerySystemPolicy
AuditSetGlobalSacl
AuditSetPerUserPolicy
AuditSetSecurity
AuditSetSystemPolicy
AuthzAccessCheck
AuthzAccessCheckCallback
AuthzAddSidsToContext
AuthzCachedAccessCheck
AuthzComputeGroupsCallback
AuthzEnumerateSecurityEventSources
AuthzFreeAuditEvent
AuthzFreeCentralAccessPolicyCache
AuthzFreeCentralAccessPolicyCallback
AuthzFreeContext
AuthzFreeGroupsCallback
AuthzFreeHandle
AuthzFreeResourceManager
AuthzGetCentralAccessPolicyCallback
AuthzGetInformationFromContext
AuthzInitializeCompoundContext
AuthzInitializeContextFromAuthzContext
AuthzInitializeContextFromSid
AuthzInitializeContextFromToken
AuthzInitializeObjectAccessAuditEvent
AuthzInitializeObjectAccessAuditEvent2
AuthzInitializeRemoteResourceManager
AuthzInitializeResourceManager
AuthzInitializeResourceManagerEx
AuthzInstallSecurityEventSource
AuthzModifyClaims
AuthzModifySecurityAttributes
AuthzModifySids
AuthzOpenObjectAudit
AuthzRegisterCapChangeNotification
AuthzRegisterSecurityEventSource
AuthzReportSecurityEvent
AuthzReportSecurityEventFromParams
AuthzSetAppContainerInformation
AuthzUninstallSecurityEventSource
AuthzUnregisterCapChangeNotification
AuthzUnregisterSecurityEventSource
BuildExplicitAccessWithName
BuildImpersonateExplicitAccessWithName
BuildImpersonateTrustee
BuildSecurityDescriptor
BuildTrusteeWithName
BuildTrusteeWithObjectsAndName
BuildTrusteeWithObjectsAndSid
BuildTrusteeWithSid
CheckTokenCapability
CheckTokenMembership
CheckTokenMembershipEx
ConvertSecurityDescriptorToStringSecurityDescriptor
ConvertSidToStringSid
ConvertStringSecurityDescriptorToSecurityDescriptor
ConvertStringSidToSid
ConvertToAutoInheritPrivateObjectSecurity
CopySid
CreatePrivateObjectSecurity
CreatePrivateObjectSecurityEx
CreatePrivateObjectSecurityWithMultipleInheritance
CreateRestrictedToken
CreateSecurityPage
CreateWellKnownSid
DeleteAce
DestroyPrivateObjectSecurity
DSCreateSecurityPage
DSCreateISecurityInfoObject
DSCreateISecurityInfoObjectEx
DSEditSecurity
DuplicateToken
DuplicateTokenEx
EditSecurity
EditSecurityAdvanced
EqualDomainSid
EqualPrefixSid
EqualSid
FindFirstFreeAce
FreeInheritedFromArray
FreeSid
GetAce
GetAclInformation
GetAppContainerNamedObjectPath
GetAuditedPermissionsFromAcl
GetCurrentProcessToken
GetCurrentThreadEffectiveToken
GetCurrentThreadToken
GetEffectiveRightsFromAcl
GetExplicitEntriesFromAcl
GetFileSecurity
GetInheritanceSource
GetKernelObjectSecurity
GetLengthSid
GetMultipleTrustee
GetMultipleTrusteeOperation
GetNamedSecurityInfo
GetPrivateObjectSecurity
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorLength
GetSecurityDescriptorOwner
GetSecurityDescriptorRMControl
GetSecurityDescriptorSacl
GetSecurityInfo
GetSidIdentifierAuthority
GetSidLengthRequired
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
GetTrusteeForm
GetTrusteeName
GetTrusteeType
GetUserObjectSecurity
GetWindowsAccountDomainSid
ImpersonateAnonymousToken
ImpersonateLoggedOnUser
ImpersonateNamedPipeClient
ImpersonateSelf
InitializeAcl
InitializeSecurityDescriptor
InitializeSid
IsTokenRestricted
IsValidAcl
IsValidSecurityDescriptor
IsValidSid
IsWellKnownSid
LookupAccountName
LookupAccountSid
LookupAccountSidLocal
LookupPrivilegeDisplayName
LookupPrivilegeName
LookupPrivilegeValue
LookupSecurityDescriptorParts
MakeAbsoluteSD
MakeSelfRelativeSD
MapGenericMask
NtCompareTokens
ObjectCloseAuditAlarm
ObjectDeleteAuditAlarm
ObjectOpenAuditAlarm
ObjectPrivilegeAuditAlarm
OpenProcessToken
OpenThreadToken
PrivilegeCheck
PrivilegedServiceAuditAlarm
QuerySecurityAccessMask
QueryServiceObjectSecurity
RegGetKeySecurity
RegSetKeySecurity
RevertToSelf
RtlConvertSidToUnicodeString
SetAclInformation
SetEntriesInAcl
SetFileSecurity
SetKernelObjectSecurity
SetNamedSecurityInfo
SetPrivateObjectSecurity
SetPrivateObjectSecurityEx
SetSecurityAccessMask
SetSecurityDescriptorControl
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
SetSecurityDescriptorRMControl
SetSecurityDescriptorSacl
SetSecurityInfo
SetServiceObjectSecurity
SetThreadToken
SetTokenInformation
SetUserObjectSecurity
TreeResetNamedSecurityInfo
TreeSetNamedSecurityInfo
Authorization Interfaces
IAzApplication
IAzApplication Methods
AddDelegatedPolicyUser Method
AddDelegatedPolicyUserName Method
AddPolicyAdministrator Method
AddPolicyAdministratorName Method
AddPolicyReader Method
AddPolicyReaderName Method
AddPropertyItem Method
CreateApplicationGroup Method
CreateOperation Method
CreateRole Method
CreateScope Method
CreateTask Method
DeleteApplicationGroup Method
DeleteDelegatedPolicyUser Method
DeleteDelegatedPolicyUserName Method
DeleteOperation Method
DeletePolicyAdministrator Method
DeletePolicyAdministratorName Method
DeletePolicyReader Method
DeletePolicyReaderName Method
DeletePropertyItem Method
DeleteRole Method
DeleteScope Method
DeleteTask Method
GetProperty Method
InitializeClientContextFromName Method
InitializeClientContextFromStringSid Method
InitializeClientContextFromToken Method
OpenApplicationGroup Method
OpenOperation Method
OpenRole Method
OpenScope Method
OpenTask Method
SetProperty Method
Submit Method
IAzApplication Properties
ApplicationData Property
ApplicationGroups Property
ApplyStoreSacl Property
AuthzInterfaceClsid Property
DelegatedPolicyUsers Property
DelegatedPolicyUsersName Property
Description Property
GenerateAudits Property
Name Property
Operations Property
PolicyAdministrators Property
PolicyAdministratorsName Property
PolicyReaders Property
PolicyReadersName Property
Roles Property
Scopes Property
Tasks Property
Version Property
Writable Property
IAzApplication2
IAzApplication2 Methods
InitializeClientContext2 Method
InitializeClientContextFromToken2 Method
IAzApplication3
IAzApplication3 Methods
CreateRoleAssignment Method
CreateRoleDefinition Method
CreateScope2 Method
DeleteRoleAssignment Method
DeleteRoleDefinition Method
DeleteScope2 Method
OpenRoleAssignment Method
OpenRoleDefinition Method
OpenScope2 Method
ScopeExists Method
IAzApplication3 Properties
BizRulesEnabled Property
RoleAssignments Property
RoleDefinitions Property
IAzApplications
IAzApplications Properties
Count Property
Item Property
_NewEnum Property
IAzApplicationGroup
IAzApplicationGroup Methods
AddAppMember Method
AddAppNonMember Method
AddMember Method
AddMemberName Method
AddNonMember Method
AddNonMemberName Method
AddPropertyItem Method
DeleteAppMember Method
DeleteAppNonMember Method
DeleteMember Method
DeleteMemberName Method
DeleteNonMember Method
DeleteNonMemberName Method
DeletePropertyItem Method
GetProperty Method
SetProperty Method
Submit Method
IAzApplicationGroup Properties
AppMembers Property
AppNonMembers Property
Description Property
LdapQuery Property
Members Property
MembersName Property
Name Property
NonMembers Property
NonMembersName Property
Type Property
Writable Property
IAzApplicationGroup2
IAzApplicationGroup2 Properties
BizRule Property
BizRuleImportedPath Property
BizRuleLanguage Property
RoleAssignments Property
IAzApplicationGroups
IAzApplicationGroups Properties
Count Property
Item Property
_NewEnum Property
IAzAuthorizationStore
IAzAuthorizationStore Methods
AddDelegatedPolicyUser Method
AddDelegatedPolicyUserName Method
AddPolicyAdministrator Method
AddPolicyAdministratorName Method
AddPolicyReader Method
AddPolicyReaderName Method
AddPropertyItem Method
CloseApplication Method
CreateApplication Method
CreateApplicationGroup Method
Delete Method
DeleteApplication Method
DeleteApplicationGroup Method
DeleteDelegatedPolicyUser Method
DeleteDelegatedPolicyUserName Method
DeletePolicyAdministrator Method
DeletePolicyAdministratorName Method
DeletePolicyReader Method
DeletePolicyReaderName Method
DeletePropertyItem Method
GetProperty Method
Initialize Method
OpenApplication Method
OpenApplicationGroup Method
SetProperty Method
Submit Method
UpdateCache Method
IAzAuthorizationStore Properties
ApplicationData Property
ApplicationGroups Property
Applications Property
ApplyStoreSacl Property
DelegatedPolicyUsers Property
DelegatedPolicyUsersName Property
Description Property
DomainTimeout Property
GenerateAudits Property
MaxScriptEngines Property
PolicyAdministrators Property
PolicyAdministratorsName Property
PolicyReaders Property
PolicyReadersName Property
ScriptEngineTimeout Property
TargetMachine Property
Writable Property
IAzAuthorizationStore2
IAzAuthorizationStore2 Methods
CreateApplication2 Method
OpenApplication2 Method
IAzAuthorizationStore3
IAzAuthorizationStore3 Methods
BizruleGroupSupported Method
GetSchemaVersion Method
IsFunctionalLevelUpgradeSupported Method
IsUpdateNeeded Method
UpgradeStoresFunctionalLevel Method
IAzBizRuleContext
IAzBizRuleContext Properties
BusinessRuleResult Property
BusinessRuleString Property
GetParameter Method
IAzBizRuleInterfaces
IAzBizRuleInterfaces Methods
AddInterface Method
AddInterfaces Method
GetInterfaceValue Method
Remove Method
RemoveAll Method
IAzBizRuleInterfaces Properties
Count Property
IAzBizRuleParameters
IAzBizRuleParameters Methods
AddParameter Method
AddParameters Method
GetParameterValue Method
Remove Method
RemoveAll Method
IAzBizRuleParameters Properties
Count Property
IAzClientContext
IAzClientContext Methods
AccessCheck Method
GetBusinessRuleString Method
GetProperty Method
GetRoles Method
IAzClientContext Properties
RoleForAccessCheck Property
UserCanonical Property
UserDisplay Property
UserDn Property
UserDnsSamCompat Property
UserGuid Property
UserSamCompat Property
UserUpn Property
IAzClientContext2
IAzClientContext2 Methods
AddApplicationGroups Method
AddRoles Method
AddStringSids Method
GetAssignedScopesPage Method
IAzClientContext2 Properties
LDAPQueryDN Property
IAzClientContext3
IAzClientContext3 Methods
AccessCheck2 Method
GetGroups Method
GetOperations Method
GetTasks Method
IsInRoleAssignment Method
IAzClientContext3 Properties
BizRuleInterfaces Property
BizRuleParameters Property
Sids Property
IAzNameResolver
IAzNameResolver Methods
NameFromSid Method
NamesFromSids Method
IAzObjectPicker
IAzObjectPicker Methods
GetPrincipals Method
Name Property
IAzOperation
IAzOperation Methods
GetProperty Method
SetProperty Method
Submit Method
IAzOperation Properties
ApplicationData Property
Description Property
Name Property
OperationID Property
Writable Property
IAzOperation2
IAzOperation2 Methods
RoleAssignments Method
IAzOperations
IAzOperations Properties
Count Property
Item Property
_NewEnum Property
IAzPrincipalLocator
IAzPrincipalLocator Properties
NameResolver Property
ObjectPicker Property
IAzRole
IAzRole Methods
AddAppMember Method
AddMember Method
AddMemberName Method
AddOperation Method
AddPropertyItem Method
AddTask Method
DeleteAppMember Method
DeleteMember Method
DeleteMemberName Method
DeleteOperation Method
DeletePropertyItem Method
DeleteTask Method
GetProperty Method
SetProperty Method
Submit Method
IAzRole Properties
ApplicationData Property
AppMembers Property
Description Property
Members Property
MembersName Property
Name Property
Operations Property
Tasks Property
Writable Property
IAzRoleAssignment
IAzRoleAssignment Methods
AddRoleDefinition Method
DeleteRoleDefinition Method
IAzRoleAssignment Properties
RoleDefinitions Property
Scope Property
IAzRoleAssignments
IAzRoleAssignments Properties
Count Property
Item Property
_NewEnum Property
IAzRoleDefinition
IAzRoleDefinition Methods
AddRoleDefinition Method
DeleteRoleDefinition Method
IAzRoleDefinition Properties
RoleAssignments Property
RoleDefinitions Property
IAzRoleDefinitions
IAzRoleDefinitions Properties
Count Property
Item Property
_NewEnum Property
IAzRoles
IAzRoles Properties
Count Property
Item Property
_NewEnum Property
IAzScope
IAzScope Methods
AddPolicyAdministrator Method
AddPolicyAdministratorName Method
AddPolicyReader Method
AddPolicyReaderName Method
AddPropertyItem Method
CreateApplicationGroup Method
CreateRole Method
CreateTask Method
DeleteApplicationGroup Method
DeletePolicyAdministrator Method
DeletePolicyAdministratorName Method
DeletePolicyReader Method
DeletePolicyReaderName Method
DeletePropertyItem Method
DeleteRole Method
DeleteTask Method
GetProperty Method
OpenApplicationGroup Method
OpenRole Method
OpenTask Method
SetProperty Method
Submit Method
IAzScope Properties
ApplicationData Property
ApplicationGroups Property
BizrulesWritable Property
CanBeDelegated Property
Description Property
Name Property
PolicyAdministrators Property
PolicyAdministratorsName Property
PolicyReaders Property
PolicyReadersName Property
Roles Property
Tasks Property
Writable Property
IAzScope2
IAzScope2 Methods
CreateRoleAssignment Method
CreateRoleDefinition Method
DeleteRoleAssignment Method
DeleteRoleDefinition Method
OpenRoleAssignment Method
OpenRoleDefinition Method
IAzScope2 Properties
RoleAssignments Property
RoleDefinitions Property
IAzScopes
IAzScopes Properties
Count Property
Item Property
NewEnum Property
IAzTask
IAzTask Methods
AddOperation Method
AddPropertyItem Method
AddTask Method
DeleteOperation Method
DeletePropertyItem Method
DeleteTask Method
GetProperty Method
SetProperty Method
Submit Method
IAzTask Properties
ApplicationData Property
BizRule Property
BizRuleImportedPath Property
BizRuleLanguage Property
Description Property
IsRoleDefinition Property
Name Property
Operations Property
Tasks Property
Writable Property
IAzTask2
IAzTask2 Methods
RoleAssignments Method
IAzTasks
IAzTasks Properties
Count Property
Item Property
_NewEnum Property
IeAxiService
IeAxiService Methods
Cleanup Method
Initialize Method
IeAxiServiceCallback
IeAxiServiceCallback Methods
VerifyFile Method
IeAxiSystemInstaller
IeAxiSystemInstaller Methods
InitializeSystemInstaller Method
IEffectivePermission
IEffectivePermission Methods
GetEffectivePermission Method
IEffectivePermission2
ComputeEffectivePermissionWithSecondarySecurity Method
ISecurityInformation
ISecurityInformation Methods
GetAccessRights Method
GetInheritTypes Method
GetObjectInformation Method
GetSecurity Method
MapGeneric Method
PropertySheetPageCallback Method
SetSecurity Method
ISecurityInformation2
ISecurityInformation2 Methods
IsDaclCanonical Method
LookupSids Method
ISecurityInformation3
ISecurityInformation3 Methods
GetFullResourceName Method
OpenElevatedEditor Method
ISecurityInformation4
GetSecondarySecurity Method
ISecurityObjectTypeInfo
ISecurityObjectTypeInfo Methods
GetInheritSource Method
Authorization Objects
CIeAxiInstallerService
Authorization Structures
ACCESS_ALLOWED_ACE
ACCESS_ALLOWED_CALLBACK_ACE
ACCESS_ALLOWED_CALLBACK_OBJECT_ACE
ACCESS_ALLOWED_OBJECT_ACE
ACCESS_DENIED_ACE
ACCESS_DENIED_CALLBACK_ACE
ACCESS_DENIED_CALLBACK_OBJECT_ACE
ACCESS_DENIED_OBJECT_ACE
ACE
ACE_HEADER
ACL
ACL_REVISION_INFORMATION
ACL_SIZE_INFORMATION
AUDIT_POLICY_INFORMATION
AUTHZ_ACCESS_REPLY
AUTHZ_ACCESS_REQUEST
AUTHZ_INIT_INFO
AUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET
AUTHZ_RPC_INIT_INFO_CLIENT
AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE
AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
AUTHZ_SECURITY_ATTRIBUTE_V1
AUTHZ_SECURITY_ATTRIBUTES_INFORMATION
AUTHZ_SOURCE_SCHEMA_REGISTRATION
CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE
CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1
CLAIM_SECURITY_ATTRIBUTE_V1
CLAIM_SECURITY_ATTRIBUTES_INFORMATION
EFFPERM_RESULT_LIST
EXPLICIT_ACCESS
GENERIC_MAPPING
INHERITED_FROM
LUID
LUID_AND_ATTRIBUTES
OBJECT_TYPE_LIST
OBJECTS_AND_NAME
OBJECTS_AND_SID
POLICY_AUDIT_SID_ARRAY
PRIVILEGE_SET
SECURITY_ATTRIBUTES
SECURITY_CAPABILITIES
SECURITY_DESCRIPTOR
SECURITY_OBJECT
SECURITY_QUALITY_OF_SERVICE
SI_ACCESS
SI_INHERIT_TYPE
SI_OBJECT_INFO
SID
SID_AND_ATTRIBUTES
SID_AND_ATTRIBUTES_HASH
SID_IDENTIFIER_AUTHORITY
SID_INFO
SID_INFO_LIST
SYSTEM_ALARM_ACE
SYSTEM_ALARM_CALLBACK_ACE
SYSTEM_ALARM_CALLBACK_OBJECT_ACE
SYSTEM_ALARM_OBJECT_ACE
SYSTEM_AUDIT_ACE
SYSTEM_AUDIT_CALLBACK_ACE
SYSTEM_AUDIT_CALLBACK_OBJECT_ACE
SYSTEM_AUDIT_OBJECT_ACE
SYSTEM_MANDATORY_LABEL_ACE
SYSTEM_RESOURCE_ATTRIBUTE_ACE
SYSTEM_SCOPED_POLICY_ID_ACE
TOKEN_ACCESS_INFORMATION
TOKEN_APPCONTAINER_INFORMATION
TOKEN_AUDIT_POLICY
TOKEN_CONTROL
TOKEN_DEFAULT_DACL
TOKEN_DEVICE_CLAIMS
TOKEN_ELEVATION
TOKEN_GROUPS
TOKEN_GROUPS_AND_PRIVILEGES
TOKEN_LINKED_TOKEN
TOKEN_MANDATORY_LABEL
TOKEN_MANDATORY_POLICY
TOKEN_ORIGIN
TOKEN_OWNER
TOKEN_PRIMARY_GROUP
TOKEN_PRIVILEGES
TOKEN_SOURCE
TOKEN_STATISTICS
TOKEN_USER
TOKEN_USER_CLAIMS
TRUSTEE
Microsoft.Interop.Security.AzRoles Assembly
Microsoft.Interop.Security.AzRoles.IAzApplication
Microsoft.Interop.Security.AzRoles.IAzApplication2
Microsoft.Interop.Security.AzRoles.IAzApplication3
Microsoft.Interop.Security.AzRoles.IAzApplicationGroup
Microsoft.Interop.Security.AzRoles.IAzApplicationGroup2
Microsoft.Interop.Security.AzRoles.IAzApplicationGroups
Microsoft.Interop.Security.AzRoles.IAzApplications
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore3
Microsoft.Interop.Security.AzRoles.IAzBizRuleContext
Microsoft.Interop.Security.AzRoles.IAzBizRuleInterfaces
Microsoft.Interop.Security.AzRoles.IAzBizRuleParameters
Microsoft.Interop.Security.AzRoles.IAzClientContext
Microsoft.Interop.Security.AzRoles.IAzClientContext2
Microsoft.Interop.Security.AzRoles.IAzClientContext3
Microsoft.Interop.Security.AzRoles.IAzNameResolver
Microsoft.Interop.Security.AzRoles.IAzObjectPicker
Microsoft.Interop.Security.AzRoles.IAzOperation
Microsoft.Interop.Security.AzRoles.IAzOperation2
Microsoft.Interop.Security.AzRoles.IAzOperations
Microsoft.Interop.Security.AzRoles.IAzPrincipalLocator
Microsoft.Interop.Security.AzRoles.IAzRole
Microsoft.Interop.Security.AzRoles.IAzRoleAssignment
Microsoft.Interop.Security.AzRoles.IAzRoleAssignments
Microsoft.Interop.Security.AzRoles.IAzRoleDefinition
Microsoft.Interop.Security.AzRoles.IAzRoleDefinitions
Microsoft.Interop.Security.AzRoles.IAzRoles
Microsoft.Interop.Security.AzRoles.IAzScope
Microsoft.Interop.Security.AzRoles.IAzScope2
Microsoft.Interop.Security.AzRoles.IAzScopes
Microsoft.Interop.Security.AzRoles.IAzTask
Microsoft.Interop.Security.AzRoles.IAzTask2
Microsoft.Interop.Security.AzRoles.IAzTasks
Authorization
3/5/2021 • 2 minutes to read • Edit Online
Purpose
Authorization is the right granted an individual to use the system and the data stored on it. Authorization is
typically set up by a system administrator and verified by the computer based on some form of user
identification, such as a code number or password.
Microsoft authorization technologies include Authorization Manager and the Authz API.
Developer audience
Microsoft authorization technologies are intended for use by developers of applications based on the Windows
Server and Windows operating systems that control access to resources. Developers should be familiar with
Windows-based programming. Although not required, an understanding of authorization or security-related
subjects is advised.
Run-time requirements
For information about run-time requirements for a particular programming element, see the Requirements
section of the reference page for that element.
In this section
TO P IC DESC RIP T IO N
Access Control Security features that control who can access resources in
the operating system. Applications call access control
functions to set who can access specific resources or control
access to resources provided by the application.
Access Control Editor Create and use property sheets and property pages that
enable the user to view and modify the components of an
object's security descriptor.
Access Control for Application Resources Role-based and ACL-based access control for application
resources.
User Account Control Security feature that enables users to perform common
tasks as nonadministrators, called standard users, and as
administrators without having to switch users, log off, or use
Run As .
Access Control (Authorization)
3/5/2021 • 2 minutes to read • Edit Online
Access control refers to security features that control who can access resources in the operating system.
Applications call access control functions to set who can access specific resources or control access to resources
provided by the application.
This overview describes the security model for controlling access to Windows objects, such as files, and for
controlling access to administrative functions, such as setting the system time or auditing user actions. The
Access Control Model topic provides a high-level description of the parts of access control and how they interact
with each other.
The following topics describe access control:
C2-level Security
Access Control Model
Security Descriptor Definition Language
Privileges
Audit Generation
Securable Objects
Low-level Access Control
The following are common access control tasks:
How DACLs Control Access to an Object
Controlling Child Object Creation in C++
ACEs to Control Access to an Object's Properties
Requesting Access Rights to an Object
The following topics provide example code for access control tasks:
Modifying the ACLs of an Object in C++
Creating a Security Descriptor for a New Object in C++
Controlling Child Object Creation in C++
Enabling and Disabling Privileges in C++
Searching for a SID in an Access Token in C++
Finding the Owner of a File Object in C++
Taking Object Ownership in C++
Creating a DACL
C2-level Security
3/5/2021 • 2 minutes to read • Edit Online
The following list includes some of the most important requirements of C2-level security, as defined by the U.S.
Department of Defense:
It must be possible to control access to a resource by granting or denying access to individual users or
named groups of users.
Memory must be protected so that its contents cannot be read after a process frees it. Similarly, a secure file
system, such as NTFS, must protect deleted files from being read.
Users must identify themselves in a unique manner, such as by password, when they log on. All auditable
actions must identify the user performing the action.
System administrators must be able to audit security-related events. However, access to the security-related
events audit data must be limited to authorized administrators.
The system must be protected from external interference or tampering, such as modification of the running
system or of system files stored on disk.
Access Control Model
3/5/2021 • 2 minutes to read • Edit Online
The access control model enables you to control the ability of a process to access securable objects or to
perform various system administration tasks.
The following topics provide a high-level description of the parts of the access control model and how they
interact with each other.
Parts of the Access Control Model
Interaction Between Threads and Securable Objects
DACLs and ACEs
Null DACLs and Empty DACLs
Allowing Anonymous Access
Parts of the Access Control Model
3/5/2021 • 2 minutes to read • Edit Online
An access token is an object that describes the security context of a process or thread. The information in a token
includes the identity and privileges of the user account associated with the process or thread. When a user logs
on, the system verifies the user's password by comparing it with information stored in a security database. If the
password is authenticated, the system produces an access token. Every process executed on behalf of this user
has a copy of this access token.
The system uses an access token to identify the user when a thread interacts with a securable object or tries to
perform a system task that requires privileges. Access tokens contain the following information:
The security identifier (SID) for the user's account
SIDs for the groups of which the user is a member
A logon SID that identifies the current logon session
A list of the privileges held by either the user or the user's groups
An owner SID
The SID for the primary group
The default DACL that the system uses when the user creates a securable object without specifying a security
descriptor
The source of the access token
Whether the token is a primary or impersonation token
An optional list of restricting SIDs
Current impersonation levels
Other statistics
Every process has a primary token that describes the security context of the user account associated with the
process. By default, the system uses the primary token when a thread of the process interacts with a securable
object. Moreover, a thread can impersonate a client account. Impersonation allows the thread to interact with
securable objects using the client's security context. A thread that is impersonating a client has both a primary
token and an impersonation token.
Use the OpenProcessToken function to retrieve a handle to the primary token of a process. Use the
OpenThreadToken function to retrieve a handle to the impersonation token of a thread. For more information,
see Impersonation.
You can use the following functions to manipulate access tokens.
F UN C T IO N DESC RIP T IO N
The access token functions use the following structures to describe the parts of an access token.
TOKEN_DEFAULT_DACL The default DACL that the system uses in the security
descriptors of new objects created by a thread.
TOKEN_OWNER The default owner SID for the security descriptors of new
objects.
TOKEN_PRIMARY_GROUP The default primary group SID for the security descriptors of
new objects.
EN UM ERAT IO N T Y P E SP EC IF IES
TOKEN_INFORMATION_CL ASS Identifies the type of information being set or retrieved from
an access token.
A restricted token is a primary or impersonation access token that has been modified by the
CreateRestrictedToken function. A process or impersonating thread running in the security context of a
restricted token is restricted in its ability to access securable objects or perform privileged operations. The
CreateRestrictedToken function can restrict a token in the following ways:
Remove privileges from the token.
Apply the deny-only attribute to SIDs in the token so that they cannot be used to access secured objects. For
more information about the deny-only attribute, see SID Attributes in an Access Token.
Specify a list of restricting SIDs, which can limit access to securable objects.
The system uses the list of restricting SIDs when it checks the token's access to a securable object. When a
restricted process or thread tries to access a securable object, the system performs two access checks: one using
the token's enabled SIDs, and another using the list of restricting SIDs. Access is granted only if both access
checks allow the requested access rights. For more information about access checks, see How DACLs Control
Access to an Object.
You can use a restricted primary token in a call to the CreateProcessAsUser function. Typically, the process
that calls CreateProcessAsUser must have the SE_ASSIGNPRIMARYTOKEN_NAME privilege, which is usually
held only by system code or by services running in the LocalSystem account. However, if the
CreateProcessAsUser call specifies a restricted version of the caller's primary token, this privilege is not
required. This enables ordinary applications to create restricted processes.
You can also use a restricted primary or impersonation token in the ImpersonateLoggedOnUser function.
To determine whether a token has a list of restricting SIDs, call the IsTokenRestricted function.
NOTE
Applications that use restricted tokens should run the restricted application on desktops other than the default desktop.
This is necessary to prevent an attack by a restricted application, using SendMessage or PostMessage , to unrestricted
applications on the default desktop. If necessary, switch between desktops for your application purposes.
SID Attributes in an Access Token
3/5/2021 • 2 minutes to read • Edit Online
Each user and group security identifier (SID) in an access token has a set of attributes that control how the
system uses the SID in an access check. The following table lists the attributes that control access checking.
SE_GROUP_ENABLED A SID with this attribute is enabled for access checks. When
the system performs an access check, it checks for access-
allowed and access-denied access control entries (ACEs) that
apply to one of the enabled SIDs in the access token. A SID
without this attribute is ignored during an access check
unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.
To set or clear the SE_GROUP_ENABLED attribute of a group SID, use the AdjustTokenGroups function. You
cannot disable a group SID that has the SE_GROUP_MANDATORY attribute. You cannot use
AdjustTokenGroups to disable the user SID of an access token.
To determine whether a SID is enabled in a token, that is, whether it has the SE_GROUP_ENABLED attribute, call
the CheckTokenMembership function.
To set the SE_GROUP_USE_FOR_DENY_ONLY attribute of a SID, include the SID in the list of deny-only SIDs that
you specify when you call the CreateRestrictedToken function. CreateRestrictedToken can apply the
SE_GROUP_USE_FOR_DENY_ONLY attribute to any SID, including the user SID and group SIDs that have the
SE_GROUP_MANDATORY attribute. However, you cannot remove the deny-only attribute from a SID, nor can
you use AdjustTokenGroups to set the SE_GROUP_ENABLED attribute on a deny-only SID.
To get the attributes of a SID, call the GetTokenInformation function with the TokenGroups value. The function
returns an array of SID_AND_ATTRIBUTES structures that identify the group SIDs and their attributes.
Access Rights for Access-Token Objects
4/30/2021 • 2 minutes to read • Edit Online
An application cannot change the access control list of an object unless the application has the rights to do so.
These rights are controlled by a security descriptor in the access token for the object. For more information
about security, see Access Control Model.
To get or set the security descriptor for an access token, call the GetKernelObjectSecurity and
SetKernelObjectSecurity functions.
When you call the OpenProcessToken or OpenThreadToken function to get a handle to an access token, the
system checks the requested access rights against the DACL in the token's security descriptor.
The following are valid access rights for access-token objects:
The DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Access tokens do
not support the SYNCHRONIZE standard access right.
The ACCESS_SYSTEM_SECURITY right to get or set the SACL in the object's security descriptor.
The specific access rights for access tokens, which are listed in the following table.
VA L UE M EA N IN G
A security descriptor contains the security information associated with a securable object. A security descriptor
consists of a SECURITY_DESCRIPTOR structure and its associated security information. A security descriptor
can include the following security information:
Security identifiers (SIDs) for the owner and primary group of an object.
A DACL that specifies the access rights allowed or denied to particular users or groups.
A SACL that specifies the types of access attempts that generate audit records for the object.
A set of control bits that qualify the meaning of a security descriptor or its individual members.
Applications must not directly manipulate the contents of a security descriptor. The Windows API provides
functions for setting and retrieving the security information in an object's security descriptor. In addition, there
are functions for creating and initializing a security descriptor for a new object.
Applications working with security descriptors on Active Directory objects can use the Windows security
functions or the security interfaces provided by the Active Directory Service Interfaces (ADSI). For more
information about ADSI security interfaces, see How Access Control Works in Active Directory.
Security Descriptor Operations
3/5/2021 • 2 minutes to read • Edit Online
The Windows API provides functions for getting and setting the components of the security descriptor
associated with a securable object. Use the GetSecurityInfo and GetNamedSecurityInfo functions to retrieve
a pointer to an object's security descriptor. These functions can also retrieve pointers to the individual
components of the security descriptor: DACL, SACL, owner SID, and primary group SID. Use the
SetSecurityInfo and SetNamedSecurityInfo functions to set the components of an object's security
descriptor.
In general, you should use GetSecurityInfo and SetSecurityInfo with objects identified by a handle, and
SetNamedSecurityInfo and GetNamedSecurityInfo with objects identified by a name. For more
information about the specific functions to use when working with the various types of objects, see Securable
Objects.
The Windows API provides additional functions for manipulating the components of a security descriptor. For
information about working with access control lists (DACLs or SACLs), see Getting Information from an ACL and
Creating or Modifying an ACL. For information about SIDs, see Security Identifiers (SIDs).
To get the control information in a security descriptor, call the GetSecurityDescriptorControl function. To set
the control bits that relate to automatic ACE inheritance, call the SetSecurityDescriptorControl function.
Other control bits are set by the various functions that set a security descriptor component. For example, if you
use SetSecurityInfo to change an object's DACL, the function sets or clears the bits as appropriate to indicate
whether the security descriptor has a DACL, whether it is a default DACL, and so on. Another example is the
resource manager (RM) control bits contained in the security descriptor. These bits are used according to the
implementation of the resource manager, and are accessed through the GetSecurityDescriptorRMControl
and SetSecurityDescriptorRMControl functions.
Security Descriptors for New Objects
3/5/2021 • 2 minutes to read • Edit Online
When you create a securable object, you can assign a security descriptor to the new object. The functions for
creating securable objects, such as CreateFile or RegCreateKeyEx , have a parameter that points to the
SECURITY_ATTRIBUTES structure that can contain a pointer to the new object's security descriptor. For sample
code that builds a security descriptor and then calls RegCreateKeyEx to assign the security descriptor to a new
registry key, see Creating a Security Descriptor for a New Object in C++.
The system component or server that manages the object can store the specified or default security descriptor
to make it a persistent attribute of the object. If an object's creator does not specify a security descriptor, the
system uses inherited or default security information to create a security descriptor. You can use functions to
change the information in an object's security descriptor.
Directory service objects, files, directories, registry keys, and desktops are securable objects that can have a
parent object. When you create one of these objects, the system checks for inheritable ACEs in the security
descriptor of the parent object. The system typically merges any inheritable ACEs into the ACLs of the new
object's security descriptor. You can prevent a DACL or SACL from inheriting ACEs by setting the
SE_DACL_PROTECTED or SE_SACL_PROTECTED bits in the security descriptor's control bits. For more
information, see ACE inheritance.
DACL for a New Object
3/5/2021 • 2 minutes to read • Edit Online
The system uses the following algorithm to build a DACL for most types of new securable objects:
1. The object's DACL is the DACL from the security descriptor specified by the object's creator. The system
merges any inheritable ACEs into the specified DACL unless the SE_DACL_PROTECTED bit is set in the
security descriptor's control bits.
2. If the creator does not specify a security descriptor, the system builds the object's DACL from inheritable
ACEs.
3. If no security descriptor is specified and there are no inheritable ACEs, the object's DACL is the default DACL
from the primary or impersonation token of the creator.
4. If there is no specified, inherited, or default DACL, the system creates the object with no DACL, which allows
everyone full access to the object.
The system uses a different algorithm to build a DACL for a new Active Directory object. For more information,
see How Security Descriptors are Set on New Directory Objects.
SACL for a New Object
3/5/2021 • 2 minutes to read • Edit Online
The system uses the following algorithm to build a SACL for most types of new securable objects:
1. The object's SACL is the SACL from the security descriptor specified by the object's creator. The system
merges any inheritable ACEs into the specified SACL unless the SE_SACL_PROTECTED bit is set in the security
descriptor's control bits. SYSTEM_RESOURCE_ATTRIBUTE_ACEs and SYSTEM_SCOPED_POLICY_ID_ACEs from
a parent object will be merged to a new object even if the SE_SACL_PROTECTED bit is set.
2. If the creator does not specify a security descriptor, the system builds the object's SACL from inheritable
ACEs.
3. If there is no specified or inherited SACL, the object has no SACL.
To specify a SACL for a new object, the object's creator must have the SE_SECURITY_NAME privilege enabled. If
the specified SACL for a new object contain only SYSTEM_RESOURCE_ATTRIBUTE_ACEs, then the
SE_SECURITY_NAME privilege is not required. The creator does not need this privilege if the object's SACL is
built from inherited ACEs.
The system uses a different algorithm to build a SACL for a new Active Directory object. For more information,
see How Security Descriptors are Set on New Directory Objects.
Owner of a New Object
3/5/2021 • 2 minutes to read • Edit Online
An object's owner implicitly has WRITE_DAC access to the object. This means that the owner can modify the
object's discretionary access control list (DACL), and thus, can control access to the object.
The owner of a new object is the default owner security identifier (SID) from the primary or impersonation
token of the creating process. To get or set the default owner in an access token, call the GetTokenInformation
or SetTokenInformation function with the TOKEN_OWNER structure. The system does not allow you to set a
token's default owner to a SID that is not valid, such as the SID of another user's account.
A process with the SE_TAKE_OWNERSHIP privilege enabled can set itself as the owner of an object. A process
with the SE_RESTORE_NAME privilege enabled or with WRITE_OWNER access to the object can set any valid
user or group SID as the owner of an object.
Primary Group of a New Object
3/5/2021 • 2 minutes to read • Edit Online
A new object's primary group is the primary group from the security descriptor specified by the object's creator.
If an object's creator does not specify a primary group, the object's primary group is the default primary group
from the creator's primary or impersonation token.
Security Descriptor Strings
3/5/2021 • 2 minutes to read • Edit Online
A valid functional security descriptor contains security information in binary format. The Windows API provides
functions for converting binary security descriptors to and from text strings. Security descriptors in string
format are not functional, but they can be useful for storing or transporting security descriptor information.
To convert a security descriptor to a string format, call the
Conver tSecurityDescriptorToStringSecurityDescriptor function. To convert a string-format security
descriptor back to a valid functional security descriptor, call the
Conver tStringSecurityDescriptorToSecurityDescriptor function.
For more information, see Security Descriptor Definition Language.
Access Control Lists
3/5/2021 • 2 minutes to read • Edit Online
An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and
specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable
object can contain two types of ACLs: a DACL and a SACL.
A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable
object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to
determine whether to grant access to it. If the object does not have a DACL, the system grants full access to
everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the
DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs
that allow all the requested access rights, or until any of the requested access rights are denied. For more
information, see How DACLs Control Access to an Object. For information about how to properly create a DACL,
see Creating a DACL.
A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE
specifies the types of access attempts by a specified trustee that cause the system to generate a record in the
security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds,
or both. For more information about SACLs, see Audit Generation and SACL Access Right.
Do not try to work directly with the contents of an ACL. To ensure that ACLs are semantically correct, use the
appropriate functions to create and manipulate ACLs. For more information, see Getting Information from an
ACL and Creating or Modifying an ACL.
ACLs also provide access control to Microsoft Active Directory directory service objects. Active Directory Service
Interfaces (ADSI) include routines to create and modify the contents of these ACLs. For more information, see
Controlling Access to Active Directory Objects.
Getting Information from an ACL
3/5/2021 • 2 minutes to read • Edit Online
Several functions are provided that retrieve access control information from an access control list (ACL). These
include functions for determining the access rights that an ACL grants or audits for a specified trustee. Other
functions enable you to extract information about the access control entries (ACEs) in an ACL.
The GetExplicitEntriesFromAcl function retrieves an array of EXPLICIT_ACCESS structures that describe the
ACEs in an ACL. This can be useful when copying ACE information from one ACL to another. For example, a call
to GetExplicitEntriesFromAcl to get information about the ACEs in one ACL can be followed by passing the
returned EXPLICIT_ACCESS structures in a call to the SetEntriesInAcl function to create equivalent ACEs in a
new ACL.
The GetEffectiveRightsFromAcl function enables you to determine the effective access rights that a DACL
grants to a specified trustee. The trustee's effective access rights are the access rights that a DACL grants to the
trustee or to any groups of which the trustee is a member. GetEffectiveRightsFromAcl checks all access-
allowed and access-denied ACEs in the specified DACL.
Use the following steps to determine a trustee's access rights to an object
1. Call the GetSecurityInfo or GetNamedSecurityInfo function to get a pointer to an object's DACL.
2. Call the GetEffectiveRightsFromAcl function to retrieve the access rights that the DACL grants to a
specified trustee.
The GetAuditedPermissionsFromAcl function enables you to check a SACL to determine the audited access
rights for a specified trustee or for any groups of which the trustee is a member. The audited rights indicate the
types of access attempts that cause the system to generate an audit record in the security event log. The function
returns two access masks: one containing the access rights monitored for failed access attempts, and another
containing the access rights monitored for successful access. GetAuditedPermissionsFromAcl checks all
system-audit ACEs in a SACL.
Creating or Modifying an ACL
3/5/2021 • 2 minutes to read • Edit Online
Windows supports a set of functions that create an access control list (ACL) or modify the access control entries
(ACEs) in an existing ACL.
The SetEntriesInAcl function creates a new ACL. SetEntriesInAcl can specify a completely new set of ACEs for
the ACL, or it can merge one or more new ACEs with the ACEs of an existing ACL. The SetEntriesInAcl function
uses an array of EXPLICIT_ACCESS structures to specify the information for the new ACEs. Each
EXPLICIT_ACCESS structure contains information that describes a single ACE. This information includes the
access rights, the type of ACE, the flags that control ACE inheritance, and a TRUSTEE structure that identifies the
trustee.
To add a new ACE to an existing ACL
1. Use the GetSecurityInfo or GetNamedSecurityInfo function to get the existing DACL or SACL from an
object's security descriptor.
2. For each new ACE, call the BuildExplicitAccessWithName function to fill an EXPLICIT_ACCESS structure
with the information that describes the ACE.
3. Call SetEntriesInAcl , specifying the existing ACL and an array of EXPLICIT_ACCESS structures for the new
ACEs. The SetEntriesInAcl function allocates and initializes the ACL and its ACEs.
4. Call the SetSecurityInfo or SetNamedSecurityInfo function to attach the new ACL to the object's security
descriptor.
If the caller specifies an existing ACL, SetEntriesInAcl merges the new ACE information with the existing ACEs
in the ACL. Consider the case, for example, in which the existing ACL grants access to a specified trustee and an
EXPLICIT_ACCESS structure denies access to the same trustee. In this case, SetEntriesInAcl adds a new
access-denied ACE for the trustee and deletes or modifies the existing access-allowed ACE for the trustee.
For sample code that merges a new ACE into an existing ACL, see Modifying the ACLs of an Object in C++.
Access Control Entries
3/5/2021 • 2 minutes to read • Edit Online
An access control entry (ACE) is an element in an access control list (ACL). An ACL can have zero or more ACEs.
Each ACE controls or monitors access to an object by a specified trustee. For information about adding,
removing, or changing the ACEs in an object's ACLs, see Modifying the ACLs of an Object in C++.
There are six types of ACEs, three of which are supported by all securable objects. The other three types are
Object-specific ACEs supported by directory service objects.
All types of ACEs contain the following access control information:
A security identifier (SID) that identifies the trustee to which the ACE applies.
An access mask that specifies the access rights controlled by the ACE.
A flag that indicates the type of ACE.
A set of bit flags that determine whether child containers or objects can inherit the ACE from the primary
object to which the ACL is attached.
The following table lists the three ACE types supported by all securable objects.
NOTE
System-alarm object ACEs are not currently supported.
Trustees
3/5/2021 • 2 minutes to read • Edit Online
A trustee is the user account, group account, or logon session to which an access control entry (ACE) applies.
Each ACE in an access control list (ACL) has one security identifier (SID) that identifies a trustee.
User accounts include accounts that human users or programs such as Windows Services use to log on to the
local computer.
Group accounts cannot be used to log on to a computer, but they are useful in ACEs to allow or deny a set of
access rights to one or more user accounts.
A logon SID that identifies the current logon session is useful to allow or deny access rights only until the user
logs off.
The access control functions use the TRUSTEE structure to identify a trustee. The TRUSTEE structure enables
you to use a name string or a SID to identify a trustee. If you use a name, the functions that create an ACE from
the TRUSTEE structure perform the task of allocating the SID buffers and looking up the SID that corresponds
to the account name. There are two helper functions, BuildTrusteeWithSid and BuildTrusteeWithName , that
initialize a TRUSTEE structure with a specified SID or name. BuildTrusteeWithObjectsAndSid and
BuildTrusteeWithObjectsAndName allow you to initialize a TRUSTEE structure with object-specific ACE
information. Three other helper functions, GetTrusteeForm , GetTrusteeName , and GetTrusteeType , retrieve
the values of the various members of a TRUSTEE structure.
The ptstrName member of the TRUSTEE structure can be a pointer to an OBJECTS_AND_NAME or
OBJECTS_AND_SID structure. These structures specify information about an object-specific ACE in addition to
a trustee name or SID. This enables functions such as SetEntriesInAcl and GetExplicitEntriesFromAcl to
store object-specific ACE information in the Trustee member of the EXPLICIT_ACCESS structure.
Object-specific ACEs
3/5/2021 • 2 minutes to read • Edit Online
Object-specific ACEs are supported for directory service (DS) objects. An object-specific ACE contains a pair of
GUIDs that expand the ways in which the ACE can protect an object.
InheritedObjectType Indicates the type of child object that can inherit the ACE.
Inheritance is also controlled by the inheritance flags in the
ACE_HEADER, as well as by any protection against
inheritance placed on the child objects. For more
information, see ACE Inheritance.
NOTE
System-alarm object ACEs are not currently supported.
Any ACL that contains an object-specific ACE must use the revision ACL_REVISION_DS.
Order of ACEs in a DACL
3/5/2021 • 2 minutes to read • Edit Online
When a process tries to access a securable object, the system steps through the access control entries (ACEs) in
the object's discretionary access control list (DACL) until it finds ACEs that allow or deny the requested access.
The access rights that a DACL allows a user could vary depending on the order of ACEs in the DACL.
Consequently, the Windows XP operating system defines a preferred order for ACEs in the DACL of a securable
object. The preferred order provides a simple framework that ensures that an access-denied ACE actually denies
access. For more information about the system's algorithm for checking access, see How DACLs Control Access
to an Object.
For Windows Server 2003 and Windows XP, the proper order of ACEs is complicated by the introduction of
object-specific ACEs and automatic inheritance.
The following steps describe the preferred order:
1. All explicit ACEs are placed in a group before any inherited ACEs.
2. Within the group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs.
3. Inherited ACEs are placed in the order in which they are inherited. ACEs inherited from the child object's
parent come first, then ACEs inherited from the grandparent, and so on up the tree of objects.
4. For each level of inherited ACEs, access-denied ACEs are placed before access-allowed ACEs.
Of course, not all ACE types are required in an ACL.
Functions such as AddAccessAllowedAceEx and AddAccessAllowedObjectAce add an ACE to the end of an
ACL. It is the caller's responsibility to ensure that the ACEs are added in the proper order.
ACE Inheritance
3/5/2021 • 2 minutes to read • Edit Online
An object's ACL can contain ACEs that it inherited from its parent container. For example, a registry subkey can
inherit ACEs from the key above it in the registry hierarchy. Likewise, a file in an NTFS file system can inherit
ACEs from the directory that contains it.
The ACE_HEADER structure of an ACE contains a set of inheritance flags that control ACE inheritance and the
effect of an ACE on the object to which it is attached. The system interprets the inheritance flags and other
inheritance information according to the rules of ACE inheritance.
These rules have been enhanced with the following features:
Support for automatic propagation of inheritable ACEs.
A flag that differentiates between inherited ACEs and ACEs that were directly applied to an object.
Object-specific ACEs that allow you to specify the type of child object that can inherit the ACE.
The ability to prevent a DACL or SACL from inheriting ACEs by setting the SE_DACL_PROTECTED or
SE_SACL_PROTECTED bits in the security descriptor's control bits except for
SYSTEM_RESOURCE_ATTRIBUTE_ACE and SYSTEM_SCOPED_POLICY_ID_ACE.
Automatic Propagation of Inheritable ACEs
3/5/2021 • 2 minutes to read • Edit Online
The system propagates inheritable access control entries (ACEs) to child objects according to a set of inheritance
rules. The system places inherited ACEs in the discretionary access control list (DACL) of the child according to
the preferred order of ACEs in a DACL. The system sets the INHERITED_ACE flag in all inherited ACEs.
The ACEs inherited by container and noncontainer child objects differ, depending on the combinations of
inheritance flags. These inheritance rules work the same for both DACLs and system access control lists (SACLs).
PA REN T A C E F L A G EF F EC T O N C H IL D A C L
If an inherited ACE is an effective ACE for the child object, the system maps any generic rights to the specific
rights for the child object. Similarly, the system maps generic security identifiers (SIDs), such as
CREATOR_OWNER, to the appropriate SID. If an inherited ACE is an inherit-only ACE, any generic rights or
generic SIDs are left unchanged so that they can be mapped appropriately when the ACE is inherited by the next
generation of child objects.
For a case in which a container object inherits an ACE that is both effective on the container and inheritable by
its descendants, the container may inherit two ACEs. This occurs if the inheritable ACE contains generic
information. The container inherits an inherit-only ACE that contains the generic information and an effective-
only ACE in which the generic information has been mapped.
An object-specific ACE has an InheritedObjectType member that can contain a GUID to identify the type of
object that can inherit the ACE.
If the InheritedObjectType GUID is not specified, the inheritance rules for an object-specific ACE are the same
as for a standard ACE.
If the InheritedObjectType GUID is specified, the ACE is inheritable by objects that match the GUID if
OBJECT_INHERIT_ACE is set, and by containers that match the GUID if CONTAINER_INHERIT_ACE is set. Note
that currently only DS objects support object-specific ACEs, and the DS treats all object types as containers.
ACEs to Control Access to an Object's Properties
3/5/2021 • 2 minutes to read • Edit Online
The discretionary access control list (DACL) of a directory service (DS) object can contain a hierarchy of access
control entries (ACEs), as follows:
1. ACEs that protect the object itself
2. Object-specific ACEs that protect a specified property set on the object
3. Object-specific ACEs that protect a specified property on the object
Within this hierarchy, the rights granted or denied at a higher level apply also to the lower levels. For example, if
an object-specific ACE on a property set allows a trustee the ADS_RIGHT_DS_READ_PROP right, the trustee has
implicit read access to all of the properties of that property set. Similarly, an ACE on the object itself that allows
ADS_RIGHT_DS_READ_PROP access gives the trustee read access to all of the object's properties.
The following illustration shows the tree of a hypothetical DS object and its property sets and properties.
Suppose you want to allow the following access to the properties of this DS object:
Allow Group A read/write permission to all of the object's properties
Allow everyone else read/write permission to all properties except Property D
To do this, set the ACEs in the object's DACL as shown in the following table.
The ACE for Group A does not have an object GUID, which means that it allows access to all the object's
properties. The object-specific ACE for Property Set 1 allows everyone access to Properties A and B. The other
object-specific ACE allows everyone access to Property C. Note that although this DACL does not have any
access-denied ACEs, it implicitly denies Property D access to everyone except Group A.
When a user tries to access an object's property, the system checks the ACEs, in order, until the requested access
is explicitly granted, denied, or there are no more ACEs, in which case, access is implicitly denied.
The system evaluates:
ACEs that apply to the object itself
Object-specific ACEs that apply to the property set that contains the property being accessed
Object-specific ACEs that apply to the property being accessed
The system ignores object-specific ACEs that apply to other property sets or properties.
Access Rights and Access Masks
3/5/2021 • 2 minutes to read • Edit Online
An access right is a bit flag that corresponds to a particular set of operations that a thread can perform on a
securable object. For example, a registry key has the KEY_SET_VALUE access right, which corresponds to the
ability of a thread to set a value under the key. If a thread tries to perform an operation on an object, but does
not have the necessary access right to the object, the system does not carry out the operation.
An access mask is a 32-bit value whose bits correspond to the access rights supported by an object. All
Windows securable objects use an access mask format that includes bits for the following types of access rights:
Generic access rights
Standard access rights
SACL access right
Directory services access rights
When a thread tries to open a handle to an object, the thread typically specifies an access mask to request a set
of access rights. For example, an application that needs to set and query the values of a registry key can open
the key by using an access mask to request the KEY_SET_VALUE and KEY_QUERY_VALUE access rights.
The following table shows the functions that manipulate the security information for each type of securable
object.
All securable objects arrange their access rights by using the access mask format shown in the following
illustration.
In this format, the low-order 16 bits are for object-specific access rights, the next 8 bits are for standard access
rights, which apply to most types of objects, and the 4 high-order bits are used to specify generic access rights
that each object type can map to a set of standard and object-specific rights. The ACCESS_SYSTEM_SECURITY bit
corresponds to the right to access the object's SACL.
Generic Access Rights
3/5/2021 • 2 minutes to read • Edit Online
Securable objects use an access mask format in which the four high-order bits specify generic access rights.
Each type of securable object maps these bits to a set of its standard and object-specific access rights. For
example, a Windows file object maps the GENERIC_READ bit to the READ_CONTROL and SYNCHRONIZE
standard access rights and to the FILE_READ_DATA, FILE_READ_EA, and FILE_READ_ATTRIBUTES object-specific
access rights. Other types of objects map the GENERIC_READ bit to whatever set of access rights is appropriate
for that type of object.
You can use generic access rights to specify the type of access you need when you are opening a handle to an
object. This is typically simpler than specifying all the corresponding standard and specific rights.
The following table shows the constants defined for the generic access rights.
Applications that define private securable objects can also use the generic access rights.
Standard Access Rights
3/5/2021 • 2 minutes to read • Edit Online
Each type of securable object has a set of access rights that correspond to operations specific to that type of
object. In addition to these object-specific access rights, there is a set of standard access rights that correspond
to operations common to most types of securable objects.
The access mask format includes a set of bits for the standard access rights. The following Windows constants
for standard access rights are defined in Winnt.h.
C O N STA N T M EA N IN G
SYNCHRONIZE The right to use the object for synchronization. This enables
a thread to wait until the object is in the signaled state.
Some object types do not support this access right.
Winnt.h also defines the following combinations of the standard access rights constants.
C O N STA N T M EA N IN G
The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security
descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access
token of the requesting thread.
To access an object's SACL
1. Call the AdjustTokenPrivileges function to enable the SE_SECURITY_NAME privilege.
2. Request the ACCESS_SYSTEM_SECURITY access right when you open a handle to the object.
3. Get or set the object's SACL by using a function such as GetSecurityInfo or SetSecurityInfo .
4. Call AdjustTokenPrivileges to disable the SE_SECURITY_NAME privilege.
To access a SACL using the GetNamedSecurityInfo or SetNamedSecurityInfo functions, enable the
SE_SECURITY_NAME privilege. The function internally requests the access right.
The ACCESS_SYSTEM_SECURITY access right is not valid in a DACL because DACLs do not control access to a
SACL. However, you can use the ACCESS_SYSTEM_SECURITY access right in a SACL to audit attempts to use the
access right.
Directory Services Access Rights
3/5/2021 • 2 minutes to read • Edit Online
Each Active Directory object has a security descriptor assigned to it. A set of trustee rights specific to directory
service objects can be set within these security descriptors. These rights are listed in the following table. For
more information, see Control Access Rights.
RIGH T S M EA N IN G
When you open a handle to an object, the returned handle has some combination of access rights to the object.
Some functions, such as CreateSemaphore , do not require a specific set of requested access rights. These
functions always try to open the handle for full access. Other functions, such as CreateFile and OpenProcess ,
allow you to specify the set of access rights that you want. You should request only the access rights that you
need, rather than opening a handle for full access. This prevents using the handle in an unintended way, and
increases the chances that the access request will succeed if the object's DACL only allows limited access.
Use generic access rights to specify the type of access needed when opening a handle to an object. This is
typically simpler than specifying all the corresponding standard and specific rights. Alternatively, use the
MAXIMUM_ALLOWED constant to request that the object be opened with all the access rights that are valid for
the caller.
NOTE
The MAXIMUM_ALLOWED constant cannot be used in an ACE.
To get or set the SACL in an object's security descriptor, request the ACCESS_SYSTEM_SECURITY access right
when opening a handle to the object.
Centralized Authorization Policy
3/5/2021 • 2 minutes to read • Edit Online
The Dynamic Access Control (DAC) scenario enables centralized access control administration for enterprise file
server scenarios. Most organizations have multiple areas in which they want to control access.
Examples are:
Controlling access to sensitive information, in which files marked as sensitive would have specific
permissions
Controlling access to files containing personally identifiable information (PII.)
Limiting access to documents based on the organizations retention policies.
Several new authorization policy abstractions are provided to allow an administrator to define these policies
centrally and to simplify the definition process by allowing each of these access requirements to be defined and
maintained separately but applied as one policy.
Two new Active Directory policy objects, a central authorization policy (cap) and a central authorization policy
rule (capr) are introduced in windows 8 to define and apply centralized authorization policies based on
expressions of claims and resource attributes. in using these objects an administrator defines a capr as a specific
authorization policy that can be applied to resources that have a certain attribute or satisfy a certain applicability
condition. for example documents labeled as "high business impact". capes may be defined for each desired
access control policy in an organization that can be expressed, and the resources to which it should be applied
can be identified, in terms of windows 8 dac expressions. a cap is collection of caprs that can be applied together
on resources. the following diagram shows the relationships of the cap and cape, and the conceptual steps
involved in defining and applying these objects to file resources.
Central Authorization Policies
3/5/2021 • 2 minutes to read • Edit Online
A Central Authorization Policy (CAP) collects the specific authorization rules (CAPRs) into a single policy. To allow
the specific authorization rules (CAPRs) to be combined into the holistic authorization policy of the organization,
CAPRs can be referenced together and applied to a set of resources. This is done by collecting multiple (by
reference) into a CAP. Once a CAP is defined it can be distributed consumed by resource managers to apply the
organizations authorization policy to resources.
A CAP has the following attributes:
Collection of CAPRs – a list of references to existing CAPR objects
An identifier (Sid)
Description
Name
A CAP is evaluated during access evaluation for files and folders on which an administrator enables it. During an
AccessCheck call, the CAP check is logically combined with the discretionary ACL check; this means that in
order to obtain access to a file to which the CAP applies, a user needs to have access both according to the CAP
(its associated CAPRs) and the discretionary ACL on the file.
Example CAP:
CORPORATE-FINANCE-CAP]
CAPID=S-1-5-3-4-56-45-67-123
Policies=HBI-CAPE;RETENTION-CAPR
CAP Definition
A CAP is created and edited in Active Directory using a new UX in ADAC (or PowerShell) that allows the
administrator to create a CAP and specify a set of CAPRs that make up the CAP.
Central Authorization Policy Rule
3/5/2021 • 3 minutes to read • Edit Online
The purpose of the Central Authorization Policy Rule (CAPR) is to provide a domain-wide definition of an
isolated aspect of the organization's authorization policy. The administrator defines the CAPR to enforce one of
the specific authorization requirements. Since the CAPR defines only one specific desired requirement of the
authorization policy it can be more simply defined and understood than if all the authorization policy
requirements of the organization are compiled into a single policy definition.
The CAPR has the following attributes:
Name – identifies the CAPR to the administrators.
Description – defines the purpose of the CAPR and any information that may be needed by consumers of the
CAPR.
Applicability Expression – defines the resources or situations in which the policy will be applied.
ID – identifier for use in auditing of changes to the CAPR.
Effective Access Control Policy – a Windows security descriptor containing a DACL that defines the effective
authorization policy.
Exception Expression – one or more expressions that provide a means to override the policy and grant access
to a principal according to the evaluation of the expression.
Staging Policy – an optional Windows security descriptor containing a DACL that defines a proposed
authorization policy (list of access control entries) that will be tested against the effective policy but not
enforced. If there is a difference between the results of the effective policy and the staging policy the
difference will be recorded in the audit event log.
Since staging can have an unpredictable effect on system performance, a Group Policy administrator
must be able to select specific machines on which staging will be in effect. This allows the existing
policy to be in place on most machines in an OU while staging is happening on a subset of the
machines.
P2 – A local administrator on a particular machine should be able to disable staging if staging on that
machine is causing too much of a performance degradation.
Backlink to CAP – A list of backlinks to any CAPs that may be referring to this CAPR.
During access check, the CAPR is be evaluated for applicability based on the applicability expression. If a CAPR is
applicable, it is evaluated for whether it provides the requesting user the requested access to the identified
resource. The results of the CAPE evaluation is then logically joined by AND with the results of the DACL on the
resource and any other applicable CAPRs in effect on the resource.
Example CAPRs:
[HBI-POLICY]
APPLIES-TO="(@resource.confidentiality == HBI"
SD ="D:(A;;FA;;;AU;(@memberOf("Smartcard Logon")))"
StagingSD = "D:(A;;FA;;;AU;(@memberOf("Smartcard Logon") AND memberOfAny(Resource.ProjectGroups)))"
description="Control access to sensitive information"
[RETENTION-POLICY]
Applies-To="@resource.retention == true"
SD ="D:(A;;;FA;;BA)(A;;FR;;;WD)"
description="If the document is marked for retention, then it is read-only for everyone however Local Admins
have
full control to them to put them out of retention when the time comes"
[TEST-FINANCE-POLICY]
Applies-To="@resource.label == 'finance'"
SD="D:(A;;FA;;;AU;(member_of(FinanceGroup))"
description="Department: Only employees of the finance department should be able to read documents labeled
as finance"
NOTE
The access check will not enforce that no deny ACEs are present. Deny ACEs in a CAPR will be applied. It is expected that
authoring tools will prevent this from happening.
CAPE Definition
CAPRs are created though a new UX provided in Active Directory Administrative Center (ADAC.) In ADAC a new
task option is provided to create a CAPR. When this task is selected, ADAC will prompt the user with a dialog
asking the user for a CAPR name and a description. When these are provided, the controls to define any of the
remaining CAPR elements become enabled. For each of the remaining CAPR elements, the UX will call out to the
ACL-UI to allow definition of expression and/or ACLs.
Related topics
AccessCheck
Dynamic Access Control (DAC) scenario
Security Identifiers
3/5/2021 • 2 minutes to read • Edit Online
A security identifier (SID) is a unique value of variable length used to identify a trustee. Each account has a
unique SID issued by an authority, such as a Windows domain controller, and stored in a security database. Each
time a user logs on, the system retrieves the SID for that user from the database and places it in the access token
for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with
Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used
again to identify another user or group.
Windows security uses SIDs in the following security elements:
In security descriptors to identify the owner of an object and primary group
In access control entries, to identify the trustee for whom access is allowed, denied, or audited
In access tokens, to identify the user and the groups to which the user belongs
In addition to the uniquely created, domain-specific SIDs assigned to specific users and groups, there are well-
known SIDs that identify generic groups and generic users. For example, the well-known SIDs, Everyone and
World, identify a group that includes all users.
Most applications never need to work with SIDs. Because the names of well-known SIDs can vary, you should
use the functions to build the SID from predefined constants rather than using the name of the well-known SID.
For example, the U.S. English version of the Windows operating system has a well-known SID named
"BUILTIN\Administrators" that might have a different name on international versions of the system. For an
example that builds a well-known SID, see Searching for a SID in an Access Token in C++.
If you do need to work with SIDs, do not manipulate them directly. Instead, use the following functions.
F UN C T IO N DESC RIP T IO N
EqualPrefixSid Tests two SID prefix values for equality. A SID prefix is the
entire SID except for the last subauthority value.
EqualSid Tests two SIDs for equality. They must match exactly to be
considered equal.
GetSidLengthRequired Retrieves the size of the buffer required to store a SID with a
specified number of subauthorities.
A SID value includes components that provide information about the SID structure and components that
uniquely identify a trustee. A SID consists of the following components:
The revision level of the SID structure
A 48-bit identifier authority value that identifies the authority that issued the SID
A variable number of subauthority or relative identifier (RID) values that uniquely identify the trustee relative
to the authority that issued the SID
The combination of the identifier authority value and the subauthority values ensures that no two SIDs will be
the same, even if two different SID-issuing authorities issue the same combination of RID values. Each SID-
issuing authority issues a given RID only once.
SIDs are stored in binary format in a SID structure. To display a SID, you can call the Conver tSidToStringSid
function to convert a binary SID to string format. To convert a SID string back to a valid, functional SID, call the
Conver tStringSidToSid function.
These functions use the following standardized string notation for SIDs, which makes it simpler to visualize their
components:
S-R -I-S …
In this notation, the literal character "S" identifies the series of digits as a SID, R is the revision level, I is the
identifier-authority value, and S … is one or more subauthority values.
The following example uses this notation to display the well-known domain-relative SID of the local
Administrators group:
S-1-5-32-544
In this example, the SID has the following components. The constants in parentheses are well-known identifier
authority and RID values defined in Winnt.h:
A revision level of 1
An identifier-authority value of 5 (SECURITY_NT_AUTHORITY)
A first subauthority value of 32 (SECURITY_BUILTIN_DOMAIN_RID)
A second subauthority value of 544 (DOMAIN_ALIAS_RID_ADMINS)
Well-known SIDs
3/5/2021 • 9 minutes to read • Edit Online
Well-known security identifiers (SIDs) identify generic groups and generic users. For example, there are well-
known SIDs to identify the following groups and users:
Everyone or World, which is a group that includes all users.
CREATOR_OWNER, which is used as a placeholder in an inheritable ACE. When the ACE is inherited, the
system replaces the CREATOR_OWNER SID with the SID of the object's creator.
The Administrators group for the built-in domain on the local computer.
There are universal well-known SIDs, which are meaningful on all secure systems using this security model,
including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful
only on Windows systems.
The Windows API defines a set of constants for well-known identifier authority and relative identifier (RID)
values. You can use these constants to create well-known SIDs. The following example combines the
SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants to show the universal well-known
SID for the special group representing all users (Everyone or World):
S-1-1-0
This example uses the string notation for SIDs in which S identifies the string as a SID, the first 1 is the revision
level of the SID, and the remaining two digits are the SECURITY_WORLD_SID_AUTHORITY and
SECURITY_WORLD_RID constants.
You can use the AllocateAndInitializeSid function to build a SID by combining an identifier authority value
with up to eight subauthority values. For example, to determine whether the logged-on user is a member of a
particular well-known group, call AllocateAndInitializeSid to build a SID for the well-known group and use
the EqualSid function to compare that SID to the group SIDs in the user's access token. For an example, see
Searching for a SID in an Access Token in C++. You must call the FreeSid function to free a SID allocated by
AllocateAndInitializeSid .
The remainder of this section contains tables of well-known SIDs and tables of identifier authority and
subauthority constants that you can use to build well-known SIDs.
The following are some universal well-known SIDs.
The following table lists the predefined identifier authority constants. The first four values are used with
universal well-known SIDs; the last value is used with Windows well-known SIDs.
SECURITY_NULL_SID_AUTHORITY 0 S-1-0
SECURITY_WORLD_SID_AUTHORITY 1 S-1-1
SECURITY_LOCAL_SID_AUTHORITY 2 S-1-2
SECURITY_CREATOR_SID_AUTHORITY 3 S-1-3
SECURITY_NT_AUTHORITY 5 S-1-5
The following RID values are used with universal well-known SIDs. The Identifier authority column shows the
prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
SECURITY_NULL_RID 0 S-1-0
SECURITY_WORLD_RID 0 S-1-1
SECURITY_LOCAL_RID 0 S-1-2
SECURITY_LOCAL_LOGON_RID 1 S-1-2
SECURITY_CREATOR_OWNER_RID 0 S-1-3
SECURITY_CREATOR_GROUP_RID 1 S-1-3
The SECURITY_NT_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal but
are meaningful only on Windows installations. You can use the following RID values with
SECURITY_NT_AUTHORITY to create well-known SIDs.
The following table has examples of domain-relative RIDs that you can use to form well-known SIDs for local
groups (aliases). For more information about local and global groups, see Local Group Functions and Group
Functions.
The WELL_KNOWN_SID_TYPE enumeration defines the list of commonly used SIDs. Additionally, the Security
Descriptor Definition Language (SDDL) uses SID strings to reference well-known SIDs in a string format.
How AccessCheck Works
3/5/2021 • 2 minutes to read • Edit Online
When a thread tries to access a securable object, the system either grants or denies access. If the object does not
have a discretionary access control list (DACL), the system grants access; otherwise, the system looks for Access
Control Entries (ACEs) in the object's DACL that apply to the thread. Each ACE in the object's DACL specifies the
access rights allowed or denied for a trustee, which can be a user account, a group account, or a logon session.
DACLs
The system compares the trustee in each ACE to the trustees identified in the thread's access token. An access
token contains security identifiers (SIDs) that identify the user and the group accounts to which the user
belongs. A token also contains a logon SID that identifies the current logon session. During an access check, the
system ignores group SIDs that are not enabled. For more information on enabled, disabled, and deny-only
SIDs, see SID Attributes in an Access Token.
Typically, the system uses the primary access token of the thread that is requesting access. However, if the thread
is impersonating another user, the system uses the thread's impersonation token.
The system examines each ACE in sequence until one of the following events occurs:
An access-denied ACE explicitly denies any of the requested access rights to one of the trustees listed in the
thread's access token.
One or more access-allowed ACEs for trustees listed in the thread's access token explicitly grant all the
requested access rights.
All ACEs have been checked and there is still at least one requested access right that has not been explicitly
allowed, in which case, access is implicitly denied.
The following illustration shows how an object's DACL can allow access to one thread while denying access to
another.
For Thread A, the system reads ACE 1 and immediately denies access because the access-denied ACE applies to
the user in the thread's access token. In this case, the system does not check ACEs 2 and 3. For Thread B, ACE 1
does not apply, so the system proceeds to ACE 2, which allows write access, and ACE 3 which allows read and
execute access.
Because the system stops checking ACEs when the requested access is explicitly granted or denied, the order of
ACEs in a DACL is important. Note that if the ACE order were different in the example, the system might have
granted access to Thread A. For system objects, the operating system defines a preferred order of ACEs in a
DACL.
Interaction Between Threads and Securable Objects
3/5/2021 • 2 minutes to read • Edit Online
When a thread attempts to use a securable object, the system performs an access check before allowing the
thread to proceed. In an access check, the system compares the security information in the thread's access token
against the security information in the object's security descriptor.
The access token contains security identifiers (SIDs) that identify the user associated with the thread.
The security descriptor identifies the object's owner and contains a discretionary access control list (DACL).
The DACL contains access control entries (ACEs), each of which specify the access rights allowed or denied to
a specific user or group.
The system checks the object's DACL, looking for ACEs that apply to the user and group SIDs from the thread's
access token. The system checks each ACE until access is either granted or denied or until there are no more
ACEs to check. Conceivably, an access control list (ACL) could have several ACEs that apply to the token's SIDs.
And, if this occurs, the access rights granted by each ACE accumulate. For example, if one ACE grants read access
to a group and another ACE grants write access to a user who is a member of the group, the user can have both
read and write access to the object.
The following illustration shows the relationship between these blocks of security information:
DACLs and ACEs
3/5/2021 • 2 minutes to read • Edit Online
If a Windows object does not have a discretionary access control list (DACL), the system allows everyone full
access to it. If an object has a DACL, the system allows only the access that is explicitly allowed by the access
control entries (ACEs) in the DACL. If there are no ACEs in the DACL, the system does not allow access to anyone.
Similarly, if a DACL has ACEs that allow access to a limited set of users or groups, the system implicitly denies
access to all trustees not included in the ACEs.
In most cases, you can control access to an object by using access-allowed ACEs; you do not need to explicitly
deny access to an object. The exception is when an ACE allows access to a group and you want to deny access to
a member of the group. To do this, place an access-denied ACE for the user in the DACL ahead of the access-
allowed ACE for the group. Note that the order of the ACEs is important because the system reads the ACEs in
sequence until access is granted or denied. The user's access-denied ACE must appear first; otherwise, when the
system reads the group's access allowed ACE, it will grant access to the restricted user.
The following illustration shows a DACL that denies access to one user and grants access to two groups. The
members of Group A get Read, Write, and Execute access rights by accumulating the rights allowed to Group A
and rights allowed to Everyone. The exception is Andrew, who is denied access by the access-denied ACE in spite
of being a member of the Everyone Group.
Null DACLs and Empty DACLs (Authorization)
3/5/2021 • 2 minutes to read • Edit Online
If the discretionary access control list (DACL) that belongs to an object's security descriptor is set to NULL , a null
DACL is created. A null DACL grants full access to any user that requests it; normal security checking is not
performed with respect to the object. A null DACL should not be confused with an empty DACL. An empty DACL
is a properly allocated and initialized DACL that contains no access control entries (ACEs). An empty DACL
grants no access to the object it is assigned to.
For an example of how to create a DACL, see Creating a DACL.
Allowing Anonymous Access
3/5/2021 • 2 minutes to read • Edit Online
The default security policy restricts anonymous local access to having no rights. Administrators can then add or
subtract rights as they see fit.
A local access group exists for applications with the same access rights as Everyone. Administrators can then
appropriately increase or decrease the number of users in that group, named the Pre-Windows 2000-
Compatible Access Group .
For more information, see the reference pages for the functions listed in the table of the Local Group Functions
topic.
Security Descriptor Definition Language
3/5/2021 • 2 minutes to read • Edit Online
The security descriptor definition language (SDDL) defines the string format that the
Conver tSecurityDescriptorToStringSecurityDescriptor and
Conver tStringSecurityDescriptorToSecurityDescriptor functions use to describe a security descriptor as a
text string. The language also defines string elements for describing information in the components of a security
descriptor.
NOTE
Conditional access control entries (ACEs) have a different SDDL format than other ACE types. For ACEs, see ACE Strings.
For conditional ACEs, see Security Descriptor Definition Language for Conditional ACEs.
Related topics
Security Descriptor String Format
Security Descriptor Definition Language for Conditional ACEs
ACE Strings
SID Strings
[MS-DTYP]: Security Descriptor Description Language
Security Descriptor String Format
5/4/2021 • 3 minutes to read • Edit Online
The Security Descriptor String Format is a text format for storing or transporting information in a security
descriptor. The Conver tSecurityDescriptorToStringSecurityDescriptor and
Conver tStringSecurityDescriptorToSecurityDescriptor functions use this format.
The format is a null -terminated string with tokens to indicate each of the four main components of a security
descriptor: owner (O:), primary group (G:), DACL (D:), and SACL (S:).
NOTE
Access control entries (ACEs) and conditional ACEs have differing formats. For ACEs, see ACE Strings. For conditional ACEs,
see Security Descriptor Definition Language for Conditional ACEs.
O:owner_sid
G:group_sid
D:dacl_flags(string_ace1)(string_ace2)... (string_acen)
S:sacl_flags(string_ace1)(string_ace2)... (string_acen)
owner_sid
A SID string that identifies the object's owner.
group_sid
A SID string that identifies the object's primary group.
dacl_flags
Security descriptor control flags that apply to the DACL. For a description of these control flags, see the
SetSecurityDescriptorControl function. The dacl_flags string can be a concatenation of zero or more of the
following strings.
C O N T RO L C O N STA N T IN SDDL . H M EA N IN G
"O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
Security Descriptor 1:
Revision: 0x00000001
Control: 0x0004
SE_DACL_PRESENT
Owner: (S-1-5-32-548)
PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512)
DACL
Revision: 0x02
Size: 0x001c
AceCount: 0x0001
Ace[00]
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0x00
Access Mask: 0x100e003f
READ_CONTROL
WRITE_DAC
WRITE_OWNER
GENERIC_ALL
Others(0x0000003f)
Ace Sid : (S-1-0-0)
SACL
Not present
String 2:
"O:DAG:DAD:(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)
(A;;RPWPCCDCLCRCWOWDSDSW;;;DA)
(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)
(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)
(OA;;CCDC;6da8a4ff-0e52-11d0-a286-00aa003049e2;;AO)
(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)
(A;;RPLCRC;;;AU)S:(AU;SAFA;WDWOSDWPCCDCSW;;;WD)"
Security Descriptor 2:
Revision: 0x00000001
Control: 0x0014
SE_DACL_PRESENT
SE_SACL_PRESENT
Owner: (S-1-5-21-397955417-626881126-188441444-512)
PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512)
DACL
Revision: 0x04
Size: 0x0104
AceCount: 0x0007
Ace[00]
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0x00
Access Mask: 0x000f003f
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Others(0x0000003f)
Ace Sid: (S-1-5-18)
Ace[01]
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceSize: 0x0024
InheritFlags: 0x00
Access Mask: 0x000f003f
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
WRITE_OWNER
Others(0x0000003f)
Ace Sid: (S-1-5-21-397955417-626881126-188441444-512)
Ace[02]
AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE)
AceSize: 0x002c
InheritFlags: 0x00
Access Mask: 0x00000003
Others(0x00000003)
Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT
ObjectType: GUID_C_USER
InhObjectType: GUID ptr is NULL
Ace Sid: (S-1-5-32-548)
Ace[03]
AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE)
AceSize: 0x002c
InheritFlags: 0x00
Access Mask: 0x00000003
Others(0x00000003)
Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT
ObjectType: GUID_C_GROUP
InhObjectType: GUID ptr is NULL
Ace Sid: (S-1-5-32-548)
Ace[04]
AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE)
AceSize: 0x002c
InheritFlags: 0x00
Access Mask: 0x00000003
Others(0x00000003)
Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT
ObjectType: GUID_C_LOCALGROUP
InhObjectType: GUID ptr is NULL
Ace Sid: (S-1-5-32-548)
Ace[05]
AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE)
AceSize: 0x002c
InheritFlags: 0x00
Access Mask: 0x00000003
Others(0x00000003)
Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT
ObjectType: GUID_C_PRINT_QUEUE
InhObjectType: GUID ptr is NULL
Ace Sid: (S-1-5-32-550)
Ace[06]
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0x00
Access Mask: 0x00020014
READ_CONTROL
Others(0x00000014)
Ace Sid: (S-1-5-11)
SACL
Revision: 0x02
Size: 0x001c
AceCount: 0x0001
Ace[00]
AceType: 0x02 (SYSTEM_AUDIT_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0xc0
SUCCESSFUL_ACCESS_ACE_FLAG
FAILED_ACCESS_ACE_FLAG
Access Mask: 0x000d002b
DELETE
WRITE_DAC
WRITE_OWNER
Others(0x0000002b)
Ace Sid: (S-1-1-0)
Related topics
ACE Strings
Security Descriptor Definition Language for Conditional ACEs
Security Descriptor Definition Language for
Conditional ACEs
3/5/2021 • 4 minutes to read • Edit Online
A conditional access control entry (ACE) allows an access condition to be evaluated when an access check is
performed. The security descriptor definition language (SDDL) provides syntax for defining conditional ACEs in a
string format.
The SDDL for a conditional ACE is the same as for any ACE, with the syntax for the conditional statement
appended to the end of the ACE string. For information about SDDL, see Security Descriptor Definition
Language.
The "#" sign is synonymous with "0" in resource attributes. For example, D:AI(XA;OICI;FA;;;WD;
(OctetStringType==#1#2#3##)) is equivalent to and interpreted as D:AI(XA;OICI;FA;;;WD;
(OctetStringType==#01020300)).
Conditional ACE String Format
Conditional Expressions
Attributes
Operators
Operator Precedence
Unknown Values
Conditional ACE Evaluation
Examples
Related topics
The ACE string includes one or more conditional expressions, enclosed in parentheses at the end of the
string.
Conditional Expressions
A conditional expression can include any of the following elements.
exists AttributeName Tests whether the specified attribute exists in the client
context.
ConditionalExpression && ConditionalExpression Tests whether both of the specified conditional expressions
are true.
Attributes
An attribute represents an element in the AUTHZ_SECURITY_ATTRIBUTES_INFORMATION array in the
client context. An attribute name can contain any alphanumeric characters and any of the characters ":", "/", ".",
and "_".
An attribute value can be any of the following types.
VA L UE T Y P E DESC RIP T IO N
Operators
The following operators are defined for use in conditional expressions to test the values of attributes. All of these
are binary operators and used in the form AttributeName Operator Value.
== Conventional definition.
!= Conventional definition.
In addition, the unary operators Exists, Member_of, and negation (!) are defined as described in the Conditional
Expressions table.
The "Contains" operator must be preceded and followed by white space, and the "Any_of" operator must be
preceded by white space.
Operator Precedence
The operators are evaluated in the following order of precedence, with operations of equal precedence being
evaluated from left to right.
1. Exists, Member_of
2. Contains, Any_of
3. ==, !=, <, <=, >, >=
4. !
5. &&
6. ||
In addition, any portion of a conditional expression can be enclosed in parenthesis. Expressions within
parentheses are evaluated first.
Unknown Values
The results of conditional expressions sometimes return a value of Unknown . For example, any of the relational
operations return Unknown when the specified attribute does not exist.
The following table describes the results for a logical AND operation between two conditional expressions,
ConditionalExpression1 and ConditionalExpression2.
C O N DIT IO N A L EXP RESSIO N 1 & &
C O N DIT IO N A L EXP RESSIO N 1 C O N DIT IO N A L EXP RESSIO N 2 C O N DIT IO N A L EXP RESSIO N 2
The following table describes the results for a logical OR operation between two conditional expressions,
ConditionalExpression1 and ConditionalExpression2.
Examples
The following examples show how the specified access policies are represented by a conditional ACE defined by
using SDDL.
Policy
Allow Execute to Everyone if both of the following conditions are met:
Title = PM
Division = Finance or Division = Sales
SDDL
D:(XA; ;FX;;;S-1-1-0; (@User.Title=="PM" && (@User.Division=="Finance" || @User.Division ==" Sales")))
Policy
Allow execute if any of the user s projects intersect with the file s projects.
SDDL
D:(XA; ;FX;;;S-1-1-0; (@User.Project Any_of @Resource.Project))
Policy
Allow read access if the user has logged in with a smart card, is a backup operator, and is connecting from a
machine with Bitlocker enabled.
SDDL
D:(XA; ;FR;;;S-1-1-0; (Member_of {SID(Smartcard_SID), SID(BO)} && @Device.Bitlocker))
Related topics
[MS-DTYP]: Security Descriptor Description Language
ACE Strings
5/4/2021 • 5 minutes to read • Edit Online
The security descriptor definition language (SDDL) uses ACE strings in the DACL and SACL components of a
security descriptor string.
As shown in the Security Descriptor String Format examples, each ACE in a security descriptor string is enclosed
in parentheses. The fields of the ACE are in the following order and are separated by semicolons (;).
NOTE
There is a different format for conditional access control entries (ACEs) than other ACE types. For conditional ACEs, see
Security Descriptor Definition Language for Conditional ACEs.
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;(resource_attribute)
Fields
ace_type
A string that indicates the value of the AceType member of the ACE_HEADER structure. The ACE type string
can be one of the following strings defined in Sddl.h.
ace_flags
A string that indicates the value of the AceFlags member of the ACE_HEADER structure. The ACE flags string
can be a concatenation of the following strings defined in Sddl.h.
rights
A string that indicates the access rights controlled by the ACE. This string can be a hexadecimal string
representation of the access rights, such as "0x7800003F", or it can be a concatenation of the following strings.
Generic access rights
A C C ESS RIGH T S ST RIN G C O N STA N T IN SDDL . H A C C ESS RIGH T VA L UE
object_guid
A string representation of a GUID that indicates the value of the ObjectType member of an object-specific ACE
structure, such as ACCESS_ALLOWED_OBJECT_ACE . The GUID string uses the format returned by the
UuidToString function.
The following table lists some commonly used object GUIDs.
inherit_object_guid
A string representation of a GUID that indicates the value of the InheritedObjectType member of an object-
specific ACE structure. The GUID string uses the UuidToString format.
account_sid
SID string that identifies the trustee of the ACE.
resource_attribute
[OPTIONAL] The resource_attribute is only for resource ACEs and is optional. A string that indicates the data
type. The resource attribute ace data type can be one of the following data types defined in Sddl.h.
The "#" sign is synonymous with "0" in resource attributes. For example, D:AI(XA;OICI;FA;;;WD;
(OctetStringType==#1#2#3##)) is equivalent to and interpreted as D:AI(XA;OICI;FA;;;WD;
(OctetStringType==#01020300)).
Windows Ser ver 2008 R2, Windows 7, Windows Ser ver 2008, Windows Vista and Windows Ser ver
2003: Resource attributes are not available.
The following example shows an ACE string for an access-allowed ACE. It is not an object-specific ACE, so it has
no information in the object_guid and inherit_object_guid fields. The ace_flags field is also empty, which
indicates that none of the ACE flags are set.
(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-1-0)
The ACE string shown above describes the following ACE information.
The following example shows a file classified with resource claims for Windows and Structured Query Language
(SQL) with Secrecy set to High Business Impact.
(RA;CI;;;;S-1-1-0; ("Project",TS,0,"Windows","SQL"))
(RA;CI;;;;S-1-1-0; ("Secrecy",TU,0,3))
The ACE string shown above describes the following ACE information.
For more information, see Security Descriptor String Format and SID Strings. For conditional ACEs, see Security
Descriptor Definition Language for Conditional ACEs.
Related topics
[MS-DTYP]: Security Descriptor Description Language
SID Strings
5/4/2021 • 5 minutes to read • Edit Online
In the security descriptor definition language (SDDL), security descriptor string use SID strings for the following
components of a security descriptor:
Owner
Primary group
The trustee in an ACE
A SID string in a security descriptor string can use either the standard string representation of a SID (S-R -I-S -S )
or one of the string constants defined in Sddl.h. For more information about the standard SID string notation,
see SID Components.
The following SID string constants for well-known SIDs are defined in Sddl.h. For information about the
corresponding relative IDs (RIDs), see Well-known SIDs.
A C C O UN T A L IA S A N D
SDDL SID ST RIN G C O N STA N T IN SDDL . H C O RRESP O N DIN G RID
The Conver tSidToStringSid and Conver tStringSidToSid functions always use the standard SID string
notation and do not support SDDL SID string constants.
For more information about well-known SIDs, see Well-known SIDs.
Related topics
[MS-DTYP]: Security Descriptor Description Language
Privileges
3/5/2021 • 2 minutes to read • Edit Online
A privilege is the right of an account, such as a user or group account, to perform various system-related
operations on the local computer, such as shutting down the system, loading device drivers, or changing the
system time. Privileges differ from access rights in two ways:
Privileges control access to system resources and system-related tasks, whereas access rights control access
to securable objects.
A system administrator assigns privileges to user and group accounts, whereas the system grants or denies
access to a securable object based on the access rights granted in the ACEs in the object's DACL.
Each system has an account database that stores the privileges held by user and group accounts. When a user
logs on, the system produces an access token that contains a list of the user's privileges, including those granted
to the user or to groups to which the user belongs. Note that the privileges apply only to the local computer; a
domain account can have different privileges on different computers.
When the user tries to perform a privileged operation, the system checks the user's access token to determine
whether the user holds the necessary privileges, and if so, it checks whether the privileges are enabled. If the
user fails these tests, the system does not perform the operation.
To determine the privileges held in an access token, call the GetTokenInformation function, which also
indicates which privileges are enabled. Most privileges are disabled by default.
The Windows API defines a set of string constants, such as SE_ASSIGNPRIMARYTOKEN_NAME, to identify the
various privileges. These constants are the same on all systems and are defined in Winnt.h. For a table of the
privileges defined by Windows, see Privilege Constants. However, the functions that get and adjust the privileges
in an access token use the LUID type to identify privileges. The LUID values for a privilege can differ from one
computer to another, and from one boot to another on the same computer. To get the current LUID that
corresponds to one of the string constants, use the LookupPrivilegeValue function. Use the
LookupPrivilegeName function to convert a LUID to its corresponding string constant.
The system provides a set of display names that describe each of the privileges. These are useful when you need
to display a description of a privilege to the user. Use the LookupPrivilegeDisplayName function to retrieve a
description string that corresponds to the string constant for a privilege. For example, on systems that use U.S.
English, the display name for the SE_SYSTEMTIME_NAME privilege is "Change the system time".
You can use the PrivilegeCheck function to determine whether an access token holds a specified set of
privileges. This is useful primarily to server applications that are impersonating a client.
A system administrator can use administrative tools, such as User Manager, to add or remove privileges for user
and group accounts. Administrators can programmatically use the Local Security Authority (LSA) functions to
work with privileges. The LsaAddAccountRights and LsaRemoveAccountRights functions add or remove
privileges from an account. The LsaEnumerateAccountRights function enumerates the privileges held by a
specified account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a
specified privilege.
Related topics
Authorization Constants
Enabling and Disabling Privileges in C++
Audit Generation
3/5/2021 • 2 minutes to read • Edit Online
C2-level security requirements specify that system administrators must be able to audit security-related events
and that access to this audit data must be limited to authorized administrators. The Windows API provides
functions enabling an administrator to monitor security-related events.
The security descriptor for a securable object can have a system access control list (SACL). A SACL contains
access control entries (ACEs) that specify the types of access attempts that generate audit reports. Each ACE
identifies a trustee, a set of access rights, and a set of flags that indicate whether the system generates audit
messages for failed access attempts, successful access attempts, or both.
The system writes audit messages to the security event log. For information about accessing the records in a
security event log, see Event Logging.
To read or write an object's SACL, a thread must first enable the SE_SECURITY_NAME privilege. For more
information, see SACL Access Right.
The Windows API also provides support for server applications to generate audit messages when a client tries
to access a private object. For more information, see Auditing Access To Private Objects.
Securable Objects
3/5/2021 • 2 minutes to read • Edit Online
A securable object is an object that can have a security descriptor. All named Windows objects are securable.
Some unnamed objects, such as process and thread objects, can have security descriptors too. For most
securable objects, you can specify an object's security descriptor in the function call that creates the object. For
example, you can specify a security descriptor in the CreateFile and CreateProcess functions.
In addition, the Windows security functions enable you to get and set the security information for securable
objects created on operating systems other than Windows. The Windows security functions also provide
support for using security descriptors with private, application-defined objects. For more information about
private securable objects, see Client/Server Access Control.
Each type of securable object defines its own set of specific access rights and its own mapping of generic access
rights. For information about the specific and generic access rights for each type of securable object, see the
overview for that type of object.
The following table shows the functions to use to manipulate the security information for some common
securable objects.
Directory service objects These objects are handled by Active Directory Objects. For
more information, see Active Directory Service Interfaces.
Low-level Access Control
3/5/2021 • 2 minutes to read • Edit Online
Low-level security functions help you work with security descriptors, access control lists (ACLs), and access
control entries (ACEs).
For a description of the model, see Access Control Model.
TO P IC DESC RIP T IO N
Low-level Security Descriptor Functions Functions for setting and retrieving an object's security
descriptor.
Low-level Security Descriptor Creation Functions for creating a security descriptor and getting and
setting the components of a security descriptor.
Absolute and Self-Relative Security Descriptors Functions for checking or converting between absolute or
self-relative format.
Low-level ACL and ACE Functions Functions for managing ACLs and ACEs.
Low-level Security Descriptor Functions
3/5/2021 • 2 minutes to read • Edit Online
There are several pairs of low-level functions for setting and retrieving an object's security descriptor. Each of
these pairs works only with a limited set of Windows objects. For example, one pair works with file objects and
another works with registry keys. The following table shows the low-level functions to use with the different
types of securable objects.
O B JEC T T Y P E LO W - L EVEL F UN C T IO N S
Low-level access control provides a set of functions for creating a security descriptor and getting and setting the
components of a security descriptor. The low-level functions for initializing and setting the components of a
security descriptor work only with absolute-format security descriptors. The low-level functions for getting the
components of a security descriptor work with both absolute and self-relative security descriptors.
The InitializeSecurityDescriptor function initializes a SECURITY_DESCRIPTOR buffer. The initialized
security descriptor is in absolute format and has no owner, primary group, discretionary access control list
(DACL), or system access control list (SACL). You can use the following low-level functions to get or set specific
components of a specified security descriptor.
F UN C T IO N DESC RIP T IO N
To check the revision level and structural integrity of a security descriptor, call the IsValidSecurityDescriptor
function.
Absolute and Self-Relative Security Descriptors
3/5/2021 • 2 minutes to read • Edit Online
A security descriptor can be in either absolute or self-relative format. In absolute format, a security descriptor
contains pointers to its information, not the information itself. In self-relative format, a security descriptor stores
a SECURITY_DESCRIPTOR structure and associated security information in a contiguous block of memory. To
determine whether a security descriptor is self-relative or absolute, call the GetSecurityDescriptorControl
function and check the SE_SELF_RELATIVE flag of the SECURITY_DESCRIPTOR_CONTROL parameter. You can
use the MakeSelfRelativeSD and MakeAbsoluteSD functions for converting between these two formats.
The absolute format is useful when you are building a security descriptor and have pointers to all of the
components, for example, when default settings for the owner, group, and discretionary ACL are available. In this
case, you can call the InitializeSecurityDescriptor function to initialize a SECURITY_DESCRIPTOR structure,
and then call functions such as SetSecurityDescriptorDacl to assign ACL and SID pointers to the security
descriptor.
In self-relative format, a security descriptor always begins with a SECURITY_DESCRIPTOR structure, but the
other components of the security descriptor can follow the structure in any order. Instead of using memory
addresses, the security descriptor's components are identified by offsets from the beginning of the descriptor.
This format is useful when a security descriptor must be stored on disk, transmitted by means of a
communications protocol, or copied in memory.
Except for MakeAbsoluteSD , all functions that return a security descriptor do so using the self-relative format.
Security descriptors passed as arguments to a function can be either self-relative or absolute form. For more
information, refer to the documentation for the function.
Low-level ACL and ACE Functions
3/5/2021 • 2 minutes to read • Edit Online
To create an access control list (ACL) by using the low-level functions, allocate a buffer for the ACL and then
initialize it by calling the InitializeAcl function. To add access control entries (ACEs) to the end of a discretionary
access control list (DACL), use the AddAccessAllowedAce and AddAccessDeniedAce functions. The
AddAuditAccessAce function adds an ACE to the end of a system access control list (SACL). You can use the
AddAce function to add one or more ACEs at a specified position in an ACL. The AddAce function also allows
you to add an inheritable ACE to an ACL. The DeleteAce function removes an ACE from a specified position in
an ACL. The GetAce function retrieves an ACE from a specified position in an ACL. The FindFirstFreeAce
function retrieves a pointer to the first free byte in an ACL.
To modify an existing ACL in an object's security descriptor, use the GetSecurityDescriptorDacl or
GetSecurityDescriptorSacl function to get the existing ACL. You can use the GetAce function to copy ACEs
from the existing ACL. After allocating and initializing a new ACL, use functions such as AddAccessAllowedAce
and AddAce to add ACEs to it. When you have finished building the new ACL, use the
SetSecurityDescriptorDacl or SetSecurityDescriptorSacl function to add the new ACL to the object's
security descriptor.
You can use the AddAccessAllowedObjectAce , AddAccessDeniedObjectAce , or
AddAuditAccessObjectAce functions to add object-specific ACEs to the end of an ACL.
Access Control Editor
3/5/2021 • 2 minutes to read • Edit Online
The access control editor is a set of property sheets and property pages that enable the user to view and modify
the components of an object's security descriptor. The editor consists of two main parts:
A basic security property page that provides a simple interface for editing the access control entries (ACEs) in
an object's discretionary access control list (DACL). This page can include an optional Advanced button that
displays the advanced security property sheet.
An advanced security property sheet with property pages that enable the user to edit the object's system
access control list (SACL), change the object's owner, or perform advanced editing of the object's DACL.
The CreateSecurityPage function creates the basic security property page. You can then use the
Proper tySheet function or the PSM_ADDPAGE message to add this page to a property sheet.
Alternatively, you can use the EditSecurity function to display a property sheet that contains the basic security
property page.
For both CreateSecurityPage and EditSecurity , the caller must pass a pointer to an implementation of the
ISecurityInformation interface. The access control editor calls the methods of this interface to retrieve access
control information about the object being edited and to pass the user's input back to your application. The
ISecurityInformation methods have the following purposes:
To initialize the property pages.
Your implementation of the GetObjectInformation method passes an SI_OBJECT_INFO structure to
the editor. This structure specifies the property pages that you want the editor to display and other
information that determines the editing options available to the user.
To provide security information about the object being edited.
Your GetSecurity implementation passes the object's initial security descriptor to the editor. The
GetAccessRights and MapGeneric methods provide information about the object's access rights. The
GetInheritTypes method provides information about how the object's ACEs can be inherited by child
objects.
To pass the user's input back to your application.
When the user clicks Okay or Apply , the editor calls your SetSecurity method to pass back a security
descriptor containing the user's changes.
Basic Security Property Page
3/5/2021 • 2 minutes to read • Edit Online
The basic security property page is the starting page of the property sheet displayed by the EditSecurity
function. You can also use the CreateSecurityPage function to create a basic security property page to insert in
your own property sheet.
The property page displays a list of the trustees named in the access control entries (ACEs) of the object's
discretionary access control list (DACL). The page also contains a list of the access rights supported by the
object. When the user selects a name from the list of trustees, the check boxes next to each access right indicate
the rights that are allowed or denied for that trustee. The user can then select or clear the check boxes to modify
the trustee's access rights. The user can also add or remove trustees from the list.
The basic security property page cannot display complex ACEs, such as object-specific ACEs, or ACE inheritance
information. To enable the user to view or edit such information, you can include an Advanced button on the
basic security page. The user can click the Advanced button to display an advanced security property sheet.
This property sheet has property pages that enable the user to edit the object's system access control list (SACL),
change the object's owner, or perform advanced editing of the object's DACL. To display the Advanced button,
set the SI_ADVANCED flag in the SI_OBJECT_INFO structure returned by your
ISecurityInformation::GetObjectInformation implementation.
You can use the pszPageTitle member of the SI_OBJECT_INFO structure to specify the title of the basic
security property page. The default title is Security .
Advanced Security Property Sheet
3/5/2021 • 2 minutes to read • Edit Online
The advanced security property sheet enables the user to perform editing operations that are not available on
the basic security property page of an access control editor. The property sheet can include the following
property pages:
A Permissions property page for advanced editing of the object's discretionary access control list (DACL),
such as editing object-specific ACEs or controlling ACE inheritance.
An Auditing property page for viewing and editing the object's system access control list (SACL).
An Owner property page for changing the object's owner.
The user can display the advanced security property sheet by clicking the Advanced button on the basic
security property page. To display the Advanced button, set the SI_ADVANCED flag in the SI_OBJECT_INFO
structure returned by your ISecurityInformation::GetObjectInformation implementation.
Permissions Property Page
3/5/2021 • 2 minutes to read • Edit Online
The Permissions property page contains controls for advanced editing of the ACEs in an object's DACL. This
page enables the user to view and edit all of the information in the DACL, including information that is not
available on the basic security property page. The advanced information includes object-specific ACEs and
information about ACE inheritance.
The Permissions property page is always included in the advanced security property sheet displayed when the
user clicks the Advanced button on the basic security property page.
Auditing Property Page
3/5/2021 • 2 minutes to read • Edit Online
The access control editor can include an Auditing property page that enables the user to view and edit the
access control entries (ACEs) in an object's system access control list (SACL). For more information about SACLs,
see Access Control Lists (ACLs).
To view the Auditing proper ty page
On the basic security property page, click Advanced . The Auditing property page is in the advanced
security property sheet.
To include the Auditing property page, set the SI_ADVANCED and SI_EDIT_AUDITS flags in the
SI_OBJECT_INFO structure returned by your ISecurityInformation::GetObjectInformation
implementation.
Owner Property Page
3/5/2021 • 2 minutes to read • Edit Online
The access control editor can include an Owner property page that enables the user to change an object's owner.
For more information about an object's owner, see Owner of a New Object and Taking Object Ownership in
C++.
The Owner property page is in the advanced security property sheet displayed when the user clicks the
Advanced button on the basic security property page. To include the Owner property page, set the
SI_ADVANCED and SI_EDIT_OWNER flags in the SI_OBJECT_INFO structure returned by your
ISecurityInformation::GetObjectInformation implementation.
Client/Server Access Control
3/5/2021 • 2 minutes to read • Edit Online
A server application provides services to clients. For example, a server could perform the following services on
behalf of a client:
Save and retrieve information from a private database
Access network resources
Start processes in the client's security context on the server's computer
A protected server controls access to its services. Windows provides security support that enables a server to do
the following:
Impersonate a client's security context, which causes the system to perform most access and privilege checks
against the client's access token rather than the server's
Log a client on to the server's computer
Connect to network resources using the client's security context
Create security descriptors to protect private objects
Determine whether a security descriptor allows access to a client
Determine whether a set of privileges are enabled in a client's token
Generate audit messages in the security event log to record attempts by a client to access objects or use
privileges
The Client Security Context
3/5/2021 • 2 minutes to read • Edit Online
Like all processes, a protected server has a primary access token that describes its security context. When a
client connects to a protected server, the server may want to perform actions using the client's security context
instead of the server's security context. For example, when a client in a dynamic data exchange (DDE)
conversation requests information from a DDE server, the server needs to verify that the client is allowed access
to the information.
There are two ways that a server can act in the client's security context:
A thread of the server process can impersonate the client. In this case, the server's thread has an
impersonation access token that identifies the client, the client's groups, and the client's privileges. For more
information, see Client Impersonation.
The server can get the client's credentials and log the client on to the server's computer. This creates a new
logon session and produces a primary access token for the client. The server can then use the client's access
token to impersonate the client or to start a new process that runs in the security context of the client. For
more information, see Client Logon Sessions.
In most cases, impersonating the client is sufficient. Impersonation enables the server to check the client's access
to securable objects, check the client's privileges, and generate audit trail entries that identify the client. Typically,
a server needs to start a client logon session only if it needs to use the client's security context to access network
resources.
Client Impersonation (Authorization)
3/5/2021 • 2 minutes to read • Edit Online
Impersonation is the ability of a thread to execute using different security information than the process that
owns the thread. Typically, a thread in a server application impersonates a client. This allows the server thread to
act on behalf of that client to access objects on the server or validate access to the client's own objects.
The Microsoft Windows API provides the following functions to begin an impersonation:
A DDE server application can call the DdeImpersonateClient function to impersonate a client.
A named-pipe server can call the ImpersonateNamedPipeClient function.
You can call the ImpersonateLoggedOnUser function to impersonate the security context of a logged-on
user's access token.
The ImpersonateSelf function enables a thread to generate a copy of its own access token. This is useful
when an application needs to change the security context of a single thread. For example, sometimes only
one thread of a process needs to enable a privilege.
You can call the SetThreadToken function to cause the target thread to run in the security context of a
specified impersonation token.
A Microsoft Remote Procedure Call (RPC) server application can call the RpcImpersonateClient function to
impersonate a client.
A security package or application server can call the ImpersonateSecurityContext function to impersonate
a client.
For most of these impersonations, the impersonating thread can revert to its own security context by calling the
Rever tToSelf function. The exception is the RPC impersonation, in which the RPC server application calls
RpcRever tToSelf or RpcRever tToSelfEx to revert to its own security context.
Impersonation Levels (Authorization)
3/5/2021 • 2 minutes to read • Edit Online
The SECURITY_IMPERSONATION_LEVEL enumeration defines four impersonation levels that determine the
operations a server can perform in the client's context.
SecurityIdentification The server can get the identity and privileges of the client,
but cannot impersonate the client.
The client of a named pipe, RPC, or DDE connection can control the impersonation level. For example, a named
pipe client can call the CreateFile function to open a handle to a named pipe and specify the server's
impersonation level.
When the named pipe, RPC, or DDE connection is remote, the flags passed to CreateFile to set the
impersonation level are ignored. In this case, the impersonation level of the client is determined by the
impersonation levels enabled by the server, which is set by a flag on the server's account in the directory
service. For example, if the server is enabled for delegation, the client's impersonation level will also be set to
delegation even if the flags passed to CreateFile specify the identification impersonation level.
DDE clients use the DdeSetQualityOfSer vice function with the SECURITY_QUALITY_OF_SERVICE structure
to specify the impersonation level. The SecurityImpersonation level is the default for named pipe, RPC, and DDE
servers. The ImpersonateSelf , DuplicateToken , and DuplicateTokenEx functions allow the caller to specify
an impersonation level. Use the GetTokenInformation function to retrieve the impersonation level of an
access token.
At the SecurityImpersonation level, most of the thread's actions occur in the security context of the thread's
impersonation token rather than in the primary token of the process that owns the thread. For example, if an
impersonating thread opens a securable object, the system uses the impersonation token to check the thread's
access. Similarly, if an impersonating thread creates a new object, for example by calling the CreateFile
function, the owner of the new object is the default owner from the client's access token.
However, the system uses the primary token of the process rather than the impersonation token of the calling
thread in the following situations:
If an impersonating thread calls the CreateProcess function, the new process always inherits the primary
token of the process.
For functions that require the SE_TCB_NAME privilege, such as the LogonUser function, the system always
checks for the privilege in the primary token of the process.
For functions that require the SE_AUDIT_NAME privilege, such as the ObjectOpenAuditAlarm function, the
system always checks for the privilege in the primary token of the process.
In a call to the OpenThreadToken function, a thread can specify whether the function uses the
impersonation token or the primary token to determine whether to grant the requested access.
Impersonation Tokens
3/5/2021 • 2 minutes to read • Edit Online
A server with the SE_TCB_NAME privilege, such as a Windows service running in the LocalSystem Account, can
call the LogonUser function to authenticate a client on the computer that the server is running on. The
LogonUser function starts a new logon session and returns a primary access token that contains the client's
security information. You can use this primary token in calling the ImpersonateLoggedOnUser function to
impersonate the client or in calling the CreateProcessAsUser function to create a process that runs in the
security context of the client.
The advantage of authenticating the client in this way is that the server impersonating the authenticated client,
or a process created in the context of the authenticated client, can connect to remote network resources as the
client. If this authentication is not done, the server can connect to network resources only if it has acquired the
client's account name and password to pass to the WNetAddConnection2 function.
The disadvantage of authenticating the client in this way is that the server must have acquired the client's
credentials (domain name, user name, and password). If a remote client supplies these credentials to the server,
it is the responsibility of the client and server to ensure that the credentials are transmitted in a secure manner.
Processes in the Client Security Context
3/5/2021 • 2 minutes to read • Edit Online
A server application can call the CreateProcessAsUser function to create a new process that runs in a client's
security context. When called with a client's access token, CreateProcessAsUser requires the
SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges, which are held by Windows
services running in the LocalSystem Account.
The CreateProcessAsUser function also requires a primary access token. A server can get a primary access
token for a client either by starting a logon session for the client or by impersonating the client and duplicating
the impersonation token.
The following procedures describe two ways to create a client process.
To create a client process by logging on to the client
1. Log the client on to the local computer using the client's credentials in a call to LogonUser . LogonUser
produces a primary token for the client's logon session.
2. If the server needs to use the client's security context, get access to the executable file for the client process
by using the primary token in a call to the ImpersonateLoggedOnUser function.
3. Create a process in the client's security context by using the primary token in a call to
CreateProcessAsUser .
NOTE
A process created by using the following technique may not be able to access network resources unless it has the client's
credentials.
Just as the system uses security descriptors to control access to securable objects, a server can use security
descriptors to control access to its private objects. For more information about the Windows security model, see
Access Control Model.
A protected server can create a security descriptor with a DACL that specifies the types of access allowed for
various trustees. In a simple case, the server could create a single security descriptor to control access to all of
the server's data and functionality. For a finer granularity of protection, the server could create security
descriptors for each of its private objects, or for different types of functionality.
For example, when a client asks the server to create a new object in a database, the server could create a
security descriptor for the new private object. The server could then store the security descriptor with the private
object in the database. When a client tries to access the object, the server retrieves the security descriptor to
check the client's access rights. It is important to note that there is nothing in a security descriptor that
associates it with the object or functionality it is protecting. Instead, it is up to the protected server to maintain
the association.
Access to the private object can also be audited. Refer to Auditing Access to Private Objects for a description of
this.
Security Descriptors for Private Objects
3/5/2021 • 2 minutes to read • Edit Online
To create a security descriptor, a protected server can use the same procedure that an application would use to
create a security descriptor for a securable object. For sample code, see Creating a Security Descriptor for a New
Object in C++. Alternatively, a protected server application can call the BuildSecurityDescriptor function to
do this. If a pointer to an existing self-relative security descriptor is supplied to BuildSecurityDescriptor , it will
build the new security descriptor with information taken from that security descriptor merged with new access
control information passed as parameters in the function call. The owner and group are optionally specified by
TRUSTEE structures passed to the function. The security descriptor created by BuildSecurityDescriptor is in
self-relative format.
In addition, the Windows API provides a set of functions for merging client security information with
information inherited from the security descriptor for a parent object or from a default security descriptor. The
CreatePrivateObjectSecurity , GetPrivateObjectSecurity , SetPrivateObjectSecurity , and
DestroyPrivateObjectSecurity functions provide the ability to retrieve default information from an access
token, support inheritance, and manipulate specific parts of the security descriptor. This can be useful when a
client creates a private object in a hierarchy of secured objects. For example, you could use the
CreatePrivateObjectSecurity function to create a security descriptor that contained ACEs specified by the
client, ACEs inherited from a parent object, and the default owner from the creating client's access token. While
BuildSecurityDescriptor creates security descriptors either from access control information passed into the
function call or from an existing security descriptor, CreatePrivateObjectSecurity creates a security descriptor
solely from the information in existing security descriptors.
LookupSecurityDescriptorPar ts function obtains security descriptor information from an existing self-
relative security descriptor. This information includes the owner and group specification, the number of ACEs in
the SACL or DACL, and the list of ACEs in the SACL or DACL.
Checking Access to Private Objects
3/5/2021 • 2 minutes to read • Edit Online
A protected server application must check a client's access rights before allowing the client to access a protected
private object. To do this, the server passes an impersonation token, a security descriptor, and a set of requested
access rights to AccessCheck . The access control entries (ACEs) in the security descriptor's DACL specify the
access rights allowed or denied to various trustees. The AccessCheck function compares the trustee in each
ACE to the trustees identified in the impersonation token. For a description of the algorithm used to grant or
deny access, see How DACLs Control Access to an Object.
The AccessCheckAndAuditAlarm function performs a similar access check. In addition, it generates audit
records in the security event log depending on the SACL in the security descriptor.
The AccessCheckByType and AccessCheckByTypeAndAuditAlarm functions are similar to AccessCheck
and AccessCheckAndAuditAlarm except that they allow you to check access to the subobjects of an object,
such as property sets or properties. The AccessCheckByTypeResultList and
AccessCheckByTypeResultListAndAuditAlarm functions are also similar to AccessCheck except that they
provide the access check results for each subobject in a hierarchy of the object's properties and property sets.
These functions use the OBJECT_TYPE_LIST structure to describe the hierarchy of objects for which access is
checked. The functions that generate an audit message use the AUDIT_EVENT_TYPE enumeration type to
indicate whether the object being checked is a directory service object. For more information about the
hierarchy of an object and its subobjects, see ACEs to Control Access to an Object's Properties.
The requested access rights passed to the AccessCheck and AccessCheckAndAuditAlarm functions must
not include any generic access rights. The server can use the MapGenericMask function to convert any generic
access rights to the corresponding specific and standard rights according to the mapping specified in the
GENERIC_MAPPING structure.
The AreAllAccessesGranted and AreAnyAccessesGranted functions compare a requested access mask with
a granted access mask.
For sample code that uses the AccessCheck function, see Verifying Client Access with ACLs in C++.
The Conver tToAutoInheritPrivateObjectSecurity function creates and returns a security descriptor in a
format that allows the automatic propagation of inheritable ACEs. This security descriptor contains all of the
ACEs, inherited and noninherited, in the current security descriptor and is in self-relative format. The
Conver tToAutoInheritPrivateObjectSecurity function determines whether the ACEs are inherited or
noninherited by comparing all of the ACEs in the current security descriptor with all of the ACEs in its parent
security descriptor. There may not be a one-to-one correspondence between the two groups of ACEs. For
instance, an ACE that allows read/write permission can be equivalent to two ACEs: an ACE that allows read
permission and an ACE that allows write permission. A parent security descriptor may not be supplied when the
current security descriptor is the parent.
Auditing Access To Private Objects
3/5/2021 • 2 minutes to read • Edit Online
A protected server can use the following functions to generate audit reports in the security event log.
F UN C T IO N DESC RIP T IO N
The Authorization Manager API and MMC snap-in available in Windows Server 2003 provide applications with a
flexible role-based access control framework. This framework includes a set of strippable COM objects for web
and line of business applications.
The following sections provide information about controlling access to application resources:
Role-based Access Control
ACL-based Access Control
Role-based Access Control
3/5/2021 • 2 minutes to read • Edit Online
The Authorization Manager API and MMC snap-in provide applications with a role-based access control
framework. The Authorization Manager API, also known as AzMan, provides a simplified development model in
which to manage flexible groups and business rules and store authorization policies. For more information, see
the following topics:
Advantages of Role-based Authorization
Authorization Manager Model
Windows XP: The Authorization Manager API and MMC snap-in are available as a download (Windows
Server 2003 Administration Tools Pack) from https://www.microsoft.com/downloads. This download supports
administration and development of Authorization Manager policies; it does not support deployment of
applications that use Authorization Manager to control access.
Related topics
Authorization Interfaces
Authorization Objects
Using Authorization in C++
Using Authorization in Script
Advantages of Role-based Authorization
3/5/2021 • 2 minutes to read • Edit Online
The Authorization Manager API provides an authorization model that has several advantages over low-level
(ACL-based) authorization:
Simplifies access control administration.
Makes authorization available to scripts and applications developed using the Microsoft Visual Basic
development system.
Provides a mechanism to apply run-time business logic when checking access.
Authorization Manager Model
3/5/2021 • 2 minutes to read • Edit Online
Authorization Manager provides a flexible framework for integrating role-based access control into applications.
It enables administrators who use those applications to provide access through assigned user roles that relate to
job functions.
Authorization Manager applications store authorization policy in the form of authorization stores that are stored
in Active Directory or XML files and apply authorization policy at run time.
Applications then call a run-time access check method that checks access against the policy information in the
authorization store.
Authorization policy includes the following parts:
Policy Stores, Applications, and Scopes
Users and Groups
Operations and Tasks
Roles
Business Rules
Collections
Policy Stores, Applications, and Scopes
3/5/2021 • 2 minutes to read • Edit Online
Authorization policy stores, applications, and scopes represent different levels of organization of Authorization
Manager policy. A policy store can contain one or more applications, and an application can contain one or more
scopes.
Authorization Policy Stores
Applications
Scopes
Delegation
Related topics
Applications
In the Authorization Manager API, an application is represented by an IAzApplication object. An authorization
policy store can contain authorization policy information for many applications. Using IAzApplication objects
allows you to store different authorization policy for different applications in a single policy store.
An authorization policy store must contain at least one application.
Scopes
In the Authorization Manager API, a scope is represented by an IAzScope object. Scopes provide an additional,
optional level of organization for an authorization policy. An application can contain one or more scopes, but
need not contain any (Authorization Manager provides a default, application-wide scope).
A scope is a subdivision within an application that separates resources from other resources that are used by
that application. If you have Authorization Manager groups, role assignments, role definitions, or task definitions
that you do not want to apply to an entire application, you can create them at the scope level.
Delegation
Authorization policy stores that are stored in Active Directory support delegation of administration.
Administration can be delegated to users and groups at the store, application, or scope level. Each level defines
administrative roles for the policy at that level. To delegate control to a user or group, assign them to the
administrator role; to allow a user or group to read the policy, assign them to the reader role.
Administrators of a store, application, or scope can read and modify the policy store at the delegated level.
Readers can read the policy store at the delegated level but cannot modify the store.
Related topics
Creating an Authorization Policy Store Object in C++
Creating an Application Object in C++
Delegating the Defining of Permissions in C++
Users and Groups
3/5/2021 • 2 minutes to read • Edit Online
In Authorization Manager, recipients of authorization policy are represented by the following groups:
Windows Users and Groups
These groups include users, computers, and built-in groups for security principals.
LDAP Query Groups
Membership in these groups is dynamically calculated as needed from Lightweight Directory Access
Protocol (LDAP) queries. An LDAP query group is a type of application group.
Basic Application Groups
These groups consist of LDAP query groups, Windows users and groups, and other basic application
groups.
(&(objectCategory=person)(objectClass=user)(!cn=andy))
The following query finds all members of the someone alias at www.fabrikam.com.
(memberOf=CN=someone,OU=litwareinc,DC=Fabrikam,DC=com)
An operation is a low-level computer action. In the Authorization Manager API, an operation is represented by
an IAzOperation object. In general, operations are too many in number and too low-level to facilitate
administration. Group operations into tasks to simplify administration of authorization policy.
A task is represented by an IAzTask object and can contain one or more IAzOperation objects. An IAzTask
object can also contain other IAzTask objects, so that tasks can be nested. To facilitate administration, an
IAzTask object should represent a task that a real user wants to perform.
Access to the operations contained by a task can be qualified at run time by a business rule script associated
with the IAzTask object that represents that task. For more information about business rule scripts, see Business
Rules.
An IAzTask object can also represent a role definition by setting its IsRoleDefinition property to TRUE . The
Authorization Manager MMC snap-in user interface then displays that IAzTask object as a role. For more
information about role definitions, see Roles.
Related topics
Defining Operations in C++
Grouping Operations into Tasks in C++
Grouping Tasks into Roles in C++
Users and Groups
Roles
3/5/2021 • 2 minutes to read • Edit Online
Roles serve two different purposes in Authorization Manager. A role is a set of tasks or operations to which a
category of users requires access, and it is also a set of users and groups that fit into that category.
Roles as Sets of Tasks
Roles as Sets of Users and Groups
Related topics
Related topics
Grouping Tasks into Roles in C++
Defining Groups of Users in C++
Adding Users to an Application Group in C++
Business Rules
3/5/2021 • 2 minutes to read • Edit Online
A business rule allows an application to use logic at run time to qualify permissions granted to the client.
A business rule is a script written in the Visual Basic Scripting Edition (VBScript) programming language or
written using the Microsoft JScript development software that is associated with an IAzTask object. When an
application checks access for an operation, Authorization Manager first checks if the current client has access to
any tasks that contain that operation but that are not associated with business rules. If access is not granted this
way, Authorization Manager runs business-rule scripts associated with any task that contains the operation.
An application passes information to a business-rule script as a pair of arrays that represent the names and
values of parameters. The script has access to these parameters through an AzBizRuleContext object that is
created when the script runs.
A business-rule script cannot be assigned to a task contained by a delegated scope.
Related topics
Qualifying Access with Business Logic in C++
Collections (Authorization)
3/5/2021 • 2 minutes to read • Edit Online
The Authorization Manager API provides interfaces that represent collections of other objects. For example, the
IAzRoles interface represents a collection of IAzRole objects.
The other interfaces that represent collections are IAzApplications , IAzApplicationGroups , IAzOperations ,
IAzScopes , and IAzTasks . Each of these interfaces provides properties that facilitate enumerating objects in a
collection.
AppContainer for Legacy Applications
3/5/2021 • 2 minutes to read • Edit Online
The AppContainer environment is a restrictive process execution environment that can be used for legacy
applications to provide resource security. An application running in an AppContainer can only access resources
specifically granted to it. As a result, applications implemented in an AppContainer cannot be hacked to allow
malicious actions outside of the limited assigned resources.
In this section
TO P IC DESC RIP T IO N
Isolation is the primary goal of an AppContainer execution environment. By isolating an application from
unneeded resources and other applications, opportunities for malicious manipulation are minimized. Granting
access based upon least-privilege prevents applications and users from accessing resources beyond their rights.
Controlling access to resources protects the process, the device, and the network.
Most vulnerabilities in Windows start with the application. Some common examples include an application
breaking out of its browser or sending a bad document to Internet Explorer as well as exploitation of plugins,
such as flash. The more these applications can be isolated in an AppContainer, the safer the device and resources
are. Even if vulnerability in an app is exploited, the app cannot access resources beyond what is granted to the
AppContainer. Malicious apps cannot take over the rest of the machine.
Credential Isolation
Managing identity and credentials, the AppContainer prevents the use of user credentials to gain access to
resources or login to other environments. The AppContainer environment creates an identifier that uses the
combined identities of the user and the application, so credentials are unique to each user/application pairing
and the application cannot impersonate the user.
Device Isolation
Isolating the application from device resources, such as passive sensors (camera, microphone, GPS), and money
pumps (3G/4G, dial phone) the AppContainer environment prevents the application from maliciously exploiting
the device. These resources are blocked by default and can be granted access as necessary. In some cases these
resources are further protected by 'brokers'. Some resources, such as keyboard and mouse, are always available
to the AppContainer and resident application.
File Isolation
Controlling file and registry access, the AppContainer environment prevents the application from modifying
files that it should not. Read-write access can be granted to specific persistent files and registry keys. Read-only
access is less restricted. An application always has access to the memory resident files created specifically for
that AppContainer.
Network Isolation
Isolating the application from network resources beyond those specifically allocated, AppContainer prevents the
application from 'escaping' its environment and maliciously exploiting network resources. Granular access can
be granted for Internet access, Intranet access, and acting as a server.
Process Isolation
Sandboxing the application kernel objects, the AppContainer environment prevents the application from
influencing, or being influenced by, other application processes. This prevents a properly contained application
from corrupting other processes in the event of an exception.
Window Isolation
Isolating the application from other windows, the AppContainer environment prevents the application from
affecting other application interfaces.
Implementing an AppContainer
3/5/2021 • 2 minutes to read • Edit Online
An AppContainer is implemented by adding new information to the process token, changing SeAccessCheck()
so that all legacy, unmodified access control list (ACL) objects block access requests from AppContainer
processes by default, and re-ACL objects that should be available to AppContainers.
The process
Begin by adding new information for the process token. Then change SeAccessCheck() so that all legacy,
unmodified ACLs will block access requests from AppContainer processes by default. Finally, re-ACL resources
that should be available to AppContainers
The AppContainer SID is a persistent unique identifier for the appcontainer. Capability SIDs grant access to
groups of resources to groups of AppContainers. An AppContainerNumber is a transient DWORD used to
distinguish between AppContainers. However, it should not be used as an identity for the AppContainer.
To allow a single AppContainer to access a resource, add its AppContainerSID to the ACL for that resource.
To allow several specific AppContainers to access a resource, add all of their AppContainerSIDs to the ACL for
that resource.
To manage groups of permissions, create a Capability SID (a GUID) and put that Capability SID on all of the
resources to be granted. Then add the Capability SID to your process token.
To allow all AppContainers to access a resource, add the ALL APPLICATION PACKAGES SID to the ACL for that
resource. This acts like a wildcard.
Both AppContainerSID and CapabilitySID support access masks in Access Control Entries (ACE). Set as
appropriate.
Mandatory Integrity Control
3/25/2021 • 2 minutes to read • Edit Online
Mandatory Integrity Control (MIC) provides a mechanism for controlling access to securable objects. This
mechanism is in addition to discretionary access control and evaluates access before access checks against an
object's discretionary access control list (DACL) are evaluated.
MIC uses integrity levels and mandatory policy to evaluate access. Security principals and securable objects are
assigned integrity levels that determine their levels of protection or access. For example, a principal with a low
integrity level cannot write to an object with a medium integrity level, even if that object's DACL allows write
access to the principal.
Windows defines four integrity levels: low, medium, high, and system. Standard users receive medium, elevated
users receive high. Processes you start and objects you create receive your integrity level (medium or high) or
low if the executable file's level is low; system services receive system integrity. Objects that lack an integrity
label are treated as medium by the operating system; this prevents low-integrity code from modifying unlabeled
objects. Additionally, Windows ensures that processes running with a low integrity level cannot obtain access to
a process which is associated with an app container.
Integrity Labels
Integrity labels specify the integrity levels of securable objects and security principals. Integrity labels are
represented by integrity SIDs. The integrity SID for a securable object is stored in its system access control list
(SACL). The SACL contains a SYSTEM_MANDATORY_L ABEL_ACE access control entry (ACE) that in turn
contains the integrity SID. Any object without an integrity SID is treated as if it had medium integrity.
The integrity SID for a security principal is stored in its access token. An access token may contain one or more
integrity SIDs.
For detailed information about the defined integrity SIDs, see Well-known SIDs.
Process Creation
When a user attempts to launch an executable file, the new process is created with the minimum of the user
integrity level and the file integrity level. This means that the new process will never execute with higher
integrity than the executable file. If the administrator user executes a low integrity program, the token for the
new process functions with the low integrity level. This helps protect a user who launches untrustworthy code
from malicious acts performed by that code. The user data, which is at the typical user integrity level, is write-
protected against this new process.
Mandatory Policy
The SYSTEM_MANDATORY_L ABEL_ACE ACE in the SACL of a securable object contains an access mask that
specifies the access that principals with integrity levels lower than the object are granted. The values defined for
this access mask are SYSTEM_MANDATORY_L ABEL_NO_WRITE_UP ,
SYSTEM_MANDATORY_L ABEL_NO_READ_UP , and SYSTEM_MANDATORY_L ABEL_NO_EXECUTE_UP .
By default, the system creates every object with an access mask of
SYSTEM_MANDATORY_L ABEL_NO_WRITE_UP .
Every access token also specifies a mandatory policy that is set by the Local Security Authority (LSA) when the
token is created. This policy is specified by a TOKEN_MANDATORY_POLICY structure associated with the
token. This structure can be queried by calling the GetTokenInformation function with the value of the
TokenInformationClass parameter set to TokenMandator yPolicy .
User Account Control (Authorization)
3/5/2021 • 2 minutes to read • Edit Online
User Account Control (UAC) enables users to perform common tasks as nonadministrators, called standard
users, and as administrators without having to switch users, log off, or use Run As . The behavior of UAC for the
"Never notify" setting no longer disables UAC. The "Never notify" setting gives you a split token and always
automatically elevates the privilege required. This subtlety may cause your app to have compatibility problems.
You can still disable UAC by using Group Policies or manually setting the registry key.
Windows Ser ver 2008 R2, Windows 7, Windows Ser ver 2008 and Windows Vista: The "Never notify"
setting disables UAC.
For example, if you perform the following steps to change the "Never notify" setting, you get different outcomes
when you attempt to create a file in a folder that requires elevated privileges. The Windows 8 behavior is to
deny access. The Windows 7 behavior allows you to create the File.txt file.
1. Click or tap Star t . In the search box, type "Change User Account Control settings".
2. Click or tap Change User Account Control settings to open it.
3. Move the slider to Never notify .
4. Click or tap OK .
5. Restart your computer.
6. Click or tap Star t and then Run . In the Open box, type "Cmd.exe". Note that the title of the window doesn't
contain the string "Administrator".
7. Type "echo > %windir%\system32\File.txt".
UAC was added in Windows Server 2008 and Windows Vista. A standard user account is synonymous with a
user account in Windows XP. User accounts that are members of the local Administrators group will run most
applications as a standard user.
For information about UAC, see the following topics.
TO P IC DESC RIP T IO N
Guidelines for User Account Control in UI Development General information about UAC.
Developing Applications that Require Administrator Privilege Models for developing applications that perform operations
that require administrative privilege, but that run as a
standard user.
It is possible to develop an application that performs operations that require administrator privilege yet runs as
a standard user.
There are several models for accomplishing this.
TO P IC DESC RIP T IO N
Administrator Broker Model The application is divided into two programs. One of the
programs runs as a standard user, and the other runs with
administrator privilege.
In the administrator broker model, the application is divided into two programs. One of the programs runs as a
standard user, and the other runs with administrator privilege.
Using an application manifest, mark the standard user program with a requestedExecutionLevel of
asInvoker and mark the administrative program with a requestedExecutionLevel of requireAdministrator .
A user launches the standard user program first. When the user attempts to perform an operation that requires
a full administrator access token, the standard user program calls the ShellExecute function to launch the
administrative program. The ShellExecute function prompts the user for approval before running the
application with the user's full administrator access token. The administrative program can then perform tasks
that require administrator privilege.
The administrative program is not completely isolated from the standard user program. The administrative
program can enable interprocess communication with the standard user program. However, such
communication is limited by the default mandatory integrity policy. For information about mandatory integrity
considerations, see Designing Applications to Run at a Low Integrity Level.
The following are possible uses for the administrator broker model:
Developing wizards. When a hardware wizard determines that a required driver is not installed on the
computer or located in the enterprise's approved location, it calls an elevated application with the ability to
move a driver into the computer store.
Autorun.exe calling Setup.exe. When a user runs software from a CD, Autorun.exe, which runs as a standard
user, starts Setup.exe, which runs as an administrator, to install the software onto the computer.
The following are drawbacks to using the administrator broker model:
The transitions from application to application can be confusing to the user. It can be difficult to inform the
user why a new application appears on the monitor.
It can be difficult to pass state information between the two applications. For example, you would not use this
model to pass state information between a standard user control panel (CPL) and its administrator
counterpart simply to allow the same CPL to have administrative and standard user functionality. The
standard user CPL would have to store its state somewhere.
There can be a lot of replicated code when splitting the functionality between two programs.
Related topics
Developing Applications that Require Administrator Privilege
Administrator COM Object Model
Operating System Service Model
Elevated Task Model
Operating System Service Model
3/5/2021 • 2 minutes to read • Edit Online
In the operating system service model, an application running as a standard user communicates with a service
running as SYSTEM by using Remote Procedure Call (RPC).
The standard user application is marked in the application manifest with a requestedExecutionLevel of
asInvoker . To perform an operation that requires administrator privilege, the standard user application makes a
request to the service.
One use for the operating system service model is to manage applications that could impact the system, such as
antivirus or other unwanted software and spyware. The standard user application allows the logged on user to
control some aspects of the service. The service is responsible for determining which operations it performs for
a standard user application. For example, an antivirus service might allow a standard user to start a scan of the
system, but it might not allow a standard user to disable real-time virus checking.
A major benefit of using the operating system service model is that no elevation prompting is required.
One drawback of using the operating system service model is that a service running on the system uses more
resources than a task, and a service cannot be stopped by a standard user. Consider using the Elevated Task
Model if it suffices.
To implement the operating system service model, create a standard user client application and an operating
system service. Install the service in the operating system during product installation time.
Related topics
Developing Applications that Require Administrator Privilege
Administrator Broker Model
Administrator COM Object Model
Elevated Task Model
Elevated Task Model
3/5/2021 • 2 minutes to read • Edit Online
In the elevated task model, an application running as a standard user performs operations that require
administrator privilege by starting a scheduled task.
Windows Ser ver 2003 and Windows XP: The elevated task model is not supported.
Tasks do not consume as many system resources as services, and tasks automatically close when finished.
Consider using this model instead of the Operating System Service Model unless backward compatibility with
earlier operating systems is necessary.
To use a task to perform privileged operations for a standard user application, the following conditions must be
met:
The task must be set to run as SYSTEM .
The security descriptor associated with the task must be configured to allow standard users to start the task.
The task scheduler service must be running.
For information about how to create and start tasks, see Task Scheduler.
Related topics
Developing Applications that Require Administrator Privilege
Administrator Broker Model
Administrator COM Object Model
Operating System Service Model
Administrator COM Object Model
3/5/2021 • 2 minutes to read • Edit Online
In the administrator COM object model, an application running as a standard user performs operations that
require administrator privilege by creating an elevated Component Object Model object. For information about
creating an elevated COM object, see The COM Elevation Moniker.
One drawback to using the administrator COM object model is that the user is prompted each time a privileged
operation is performed.
Any user interface that can control the COM object must be presented by the COM object itself. Otherwise, an
unprivileged process could cause the elevated COM object to perform privileged operations without the user
being prompted.
Related topics
Developing Applications that Require Administrator Privilege
Administrator Broker Model
Elevated Task Model
Operating System Service Model
Using Authorization in C++
3/5/2021 • 2 minutes to read • Edit Online
You can use the Authorization Manager API to control access to application resources.
If you have an existing access control solution based on access control lists (ACLs) and want to avoid converting
this solution to use Authorization Manager, you can continue to use ACLs to control access to resources. For
information about controlling access to resources using ACLs, see Defining Permissions with ACLs in C++,
Establishing a Client Context from a SID in C++, and Verifying Client Access with ACLs in C++.
NOTE
For large enterprises, there is a trade-off between administrative overhead and performance. As the number of secured
resources and users increases, the administration of ACLs becomes more complicated. Performance is not affected
because all required information about access rights is distributed to the secured resources. The performance of
Authorization Manager is affected by scaling.
For information about other authorization tasks, see Supporting Tasks for Authorization in C++.
TO P IC DESC RIP T IO N
Defining Permissions in C++ Define which users have access to which application
resources by creating an authorization policy store.
Verifying Client Access to a Requested Resource in C++ Check whether the client has access to one or more
operations.
Delegating the Defining of Permissions in C++ Delegate the administration of authorization policy stores
that are stored in Active Directory.
Defining Permissions in C++
3/5/2021 • 2 minutes to read • Edit Online
In Authorization Manager, you define which users have access to which application resources by creating an
authorization policy store.
For information about defining permissions with ACLs, see Defining Permissions with ACLs in C++.
To define access permissions
1. Create the store where the authorization policy is defined:
Creating an Authorization Policy Store Object in C++
2. Create a section in the authorization policy store for a specific application:
Creating an Application Object in C++
3. Define operations that the application implements to access and modify resources:
Defining Operations in C++
4. Group operations into high-level tasks that users want to perform:
Grouping Operations into Tasks in C++
5. Define roles that consist of groups of tasks:
Grouping Tasks into Roles in C++
A user that is assigned to a role has permission to perform any task assigned to that role. 6. Create scripts to qualify
access to tasks at run time:
Qualifying Access with Business Logic in C++
This step is optional. 7. Define groups of users:
Defining Groups of Users in C++
These groups can then be assigned to roles to determine which tasks they can perform. 8. Add users to user groups:
Adding Users to an Application Group in C++
Verifying Client Access to a Requested Resource in
C++
3/5/2021 • 2 minutes to read • Edit Online
Call the AccessCheck method of the IAzClientContext interface to check if the client has access to one or
more operations. A client might have membership in more than one role, and an operation might be assigned to
more than one task, so Authorization Manager checks for all roles and tasks. If any role to which the client
belongs contains any task that contains an operation, access to that operation is granted.
To check access for only a single role to which the client belongs, set the RoleForAccessCheck property of the
IAzClientContext interface.
When initializing the authorization policy store for access check, you must pass zero as the value of the lFlags
parameter of the IAzAuthorizationStore::Initialize method.
The following example shows how to check a client's access to an operation. The example assumes that there is
an existing XML policy store named MyStore.xml in the root directory of drive C, that this store contains an
application named Expense and an operation named UseFormControl, and that the variable hToken contains a
valid client token.
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
VARIANT myVar;
VariantInit(&myVar);//.vt) = VT_NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
hr = pOperation->get_OperationID(&operationID);
if(!(SUCCEEDED(hr)))
MyHandleError("Could not get operation ID.");
hr = SafeArrayPutElement(varOperationIdArray.parray, index,
&varOperationId);
if(!(SUCCEEDED(hr)))
MyHandleError("Could not put operation ID in array.");
// Check access.
hr = pClientContext->AccessCheck(
objectName,
myVar,
varOperationIdArray,
myVar, // use default application scope
myVar,
myVar,
myVar,
myVar,
&varResultsArray);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not complete access check.");
if (varResult.lVal == 0)
printf("Access granted.\n");
else
printf("Access denied.\n");
// Clean up resources.
pStore->Release();
pApp->Release();
pClientContext->Release();
pOperation->Release();
SysFreeString(storeName);
SysFreeString(appName);
SysFreeString(operationName);
SysFreeString(objectName);
VariantClear(&myVar);
VariantClear(&varOperationIdArray);
VariantClear(&varOperationId);
VariantClear(&varResultsArray);
VariantClear(&varResult);
CoUninitialize();
}
Authorization policy stores that are stored in Active Directory support delegation of administration.
Administration can be delegated to users and groups at the store, application, or scope level.
At each level, there is a list of administrators and readers. Administrators of a store, application, or scope can
read and modify the policy store at the delegated level. Readers can read the policy store at the delegated level
but cannot modify the store.
A user or group that is either an administrator or a reader of an application must also be added as a delegated
user of the policy store that contains that application. Similarly, a user or group that is an administrator or a
reader of a scope must be added as a delegated user of the application that contains that scope.
For example, to delegate administration of a scope, first add the user or group to the list of delegated users of
the store that contains the scope by calling the IAzAuthorizationStore::AddDelegatedPolicyUser method.
Then add the user or group to the list of delegated users of the application that contains the scope by calling the
IAzApplication::AddDelegatedPolicyUser method. Finally, add the user or group to the list of administrators
of the scope by calling the IAzScope::AddPolicyAdministrator method.
XML-based policy stores do not support delegation at any level.
A scope within an authorization store that is stored in Active Directory cannot be delegated if the scope contains
task definitions that include authorization rules or role definitions that include authorization rules.
The following example shows how to delegate administration of an application. The example assumes that there
is an existing Active Directory authorization policy store at the specified location, that this policy store contains
an application named Expense, and that this application contains no tasks with business rule scripts.
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void)
{
IAzAuthorizationStore* pStore = NULL;
IAzApplication* pApp = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
BSTR appName = NULL;
BSTR userName = NULL;
VARIANT myVar;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Clean up resources.
pStore->Release();
pApp->Release();
SysFreeString(storeName);
SysFreeString(appName);
SysFreeString(userName);
CoUninitialize();
}
The following tasks support the main tasks listed in Using Authorization in C++.
TO P IC DESC RIP T IO N
Creating an Authorization Policy Store in C++ Create an authorization policy before or during the
installation of an application.
Establishing a Client Context with Authorization Manager in Create a client context with a handle to a token, a domain
C++ and user name, or a string representation of the security
identifier (SID) of the client.
Qualifying Access with Business Logic in C++ Provide run-time logic for checking access.
Defining Permissions with ACLs in C++ Define which clients have access to which resources by
creating and modifying the ACLs associated with those
resources and by enabling and disabling client privileges.
Establishing a Client Context from a SID in C++ Identify a user, group, or computer account. Use SIDs to
check access rights to resources.
Verifying Client Access with ACLs in C++ Check the access rights that a security descriptor allows for a
client.
Finding the Owner of a File Object in C++ Find and print the name of the owner of a file.
Taking Object Ownership in C++ Change the DACL of a file object by taking ownership of that
object.
Creating an Authorization Policy Store in C++
3/5/2021 • 2 minutes to read • Edit Online
TO P IC DESC RIP T IO N
Creating an Authorization Policy Store Object in C++ An authorization policy store contains information about the
security policy of an application or group of applications. The
information includes the applications, operations, tasks,
users, and groups of users associated with the store.
Creating an Application Object in C++ An authorization policy store contains authorization policy
information for one or more applications. For each
application that uses that policy store, you must create an
IAzApplication object and save it to a policy store.
Grouping Operations into Tasks in C++ In Authorization Manager, a task is a high-level action that
users of an application need to complete. Tasks are made up
of operations, which are low-level functions and methods of
the application.
Grouping Tasks into Roles in C++ In Authorization Manager, a role represents a category of
users and the tasks those users are authorized to perform.
Adding Users to an Application Group in C++ In Authorization Manager, an application group is a group of
users and user groups. An application group can contain
other application groups, so groups of users can be nested.
Creating an Authorization Policy Store Object in
C++
3/5/2021 • 5 minutes to read • Edit Online
An authorization policy store contains information about the security policy of an application or group of
applications. The information includes the applications, operations, tasks, users, and groups of users associated
with the store. When an application that uses Authorization Manager initializes, it loads this information from
the store. The authorization policy store must be located on a trusted system because administrators on that
system have a high degree of access to the store.
Authorization Manager supports storing authorization policy either in the Active Directory directory service or
in an XML file as shown in the following examples. In the Authorization Manager API, an authorization policy
store is represented by an AzAuthorizationStore object. The examples show how to create an
AzAuthorizationStore object for an Active Directory store and an XML store.
Creating an Active Directory Store
Creating a SQL Server Store
Creating an XML Store
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Clean up resources.
pStore->Release();
VariantClear(&myVar);
SysFreeString(storeName);
CoUninitialize();
}
NOTE
Connections to a SQL Server store are not encrypted unless you explicitly set up SQL encryption for the connection or set
up encryption of the network traffic that uses Internet Protocol Security (IPsec).
The following example shows how to create an AzAuthorizationStore object that represents an authorization
policy store in a SQL Server database.
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
VARIANT myVar;
myVar.vt = VT_NULL;
// Clean up resources.
pStore->Release();
SysFreeString(storeName);
CoUninitialize();
}
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
VARIANT myVar;
myVar.vt = VT_NULL;
// Clean up resources.
pStore->Release();
SysFreeString(storeName);
CoUninitialize();
}
An authorization policy store contains authorization policy information for one or more applications. For each
application that uses that policy store, you must create an IAzApplication object and save it to a policy store.
The following example shows how to create an IAzApplication object that represents an application and how
to add the IAzApplication object to the authorization policy store the application uses. The example assumes
that there is an existing XML policy store named MyStore.xml in the root directory of drive C.
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
IAzApplication* pApp = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
BSTR appName = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Clean up resources.
pStore->Release();
pApp->Release();
SysFreeString(storeName);
SysFreeString(appName);
VariantClear(&myVar);
CoUninitialize();
}
In Authorization Manager, an operation is a low-level function or method of an application. These operations are
grouped together as tasks. Users of the application request permission to complete tasks. An operation is
represented by an IAzOperation object. For more information about operations, see Operations and Tasks.
The following example shows how to define operations in an authorization policy store. The example assumes
that there is an existing XML policy store named MyStore.xml in the root directory of drive C, and that this store
contains an application named Expense.
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#pragma comment(lib, "duser.lib")
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
IAzApplication* pApp = NULL;
IAzOperation* pOp = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
BSTR appName = NULL;
BSTR opName = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Create operations.
// Clean up resources.
pStore->Release();
pApp->Release();
pOp->Release();
SysFreeString(storeName);
SysFreeString(appName);
VariantClear(&myVar);
CoUninitialize();
}
In Authorization Manager, a task is a high-level action that users of an application need to complete. Tasks are
made up of operations, which are low-level functions and methods of the application. A task is then assigned to
those roles that must perform that task. A task is represented by an IAzTask object. For more information about
operations and tasks, see Operations and Tasks.
The following example shows how to group operations to create a task. The example assumes that there is an
existing XML policy store named MyStore.xml in the root directory of drive C, that this store contains an
application named Expense, and that this application contains operations defined in the topic Defining
Operations in C++.
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#pragma comment(lib, "duser.lib")
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
IAzApplication* pApp = NULL;
IAzTask* pTask = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
BSTR appName = NULL;
BSTR taskName = NULL;
BSTR opName = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
if (!(opName = SysAllocString(L"EnqueRequest")))
MyHandleError("Could not allocate operation name string.");
hr = pTask->AddOperation(opName, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not add 2nd operation to the task.");
SysFreeString(opName);
if (!(opName = SysAllocString(L"UseFormControl")))
MyHandleError("Could not allocate operation name string.");
hr = pTask->AddOperation(opName, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not add 3rd operation to the task.");
SysFreeString(opName);
// Clean up resources.
pStore->Release();
pApp->Release();
pTask->Release();
SysFreeString(storeName);
SysFreeString(appName);
VariantClear(&myVar);
CoUninitialize();
}
In Authorization Manager, a role represents a category of users and the tasks those users are authorized to
perform. Tasks are grouped together and assigned to a role definition, which is represented by an IAzTask
object with its IsRoleDefinition property set to TRUE . The role definition can then be assigned to an IAzRole
object, and users or groups of users are then assigned to that object. For more information about tasks and
roles, see Roles.
The following example shows how to assign tasks to a role definition, create a role object, and assign the role
definition to the role object. The example assumes that there is an existing XML policy store named MyStore.xml
in the root directory of drive C, that this store contains an application named Expense, and that this application
contains tasks named Submit Expense and Approve Expense.
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#pragma comment(lib, "duser.lib")
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
IAzApplication* pApp = NULL;
IAzTask* pTaskRoleDef = NULL;
IAzRole* pRole = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
BSTR appName = NULL;
BSTR taskNameSubmit = NULL;
BSTR taskNameApprove = NULL;
BSTR roleDefName = NULL;
BSTR roleName = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Clean up resources.
pStore->Release();
pApp->Release();
pTaskRoleDef->Release();
pRole->Release();
SysFreeString(storeName);
SysFreeString(appName);
SysFreeString(taskNameSubmit);
SysFreeString(taskNameApprove);
SysFreeString(roleDefName);
SysFreeString(roleName);
VariantClear(&myVar);
CoUninitialize();
}
In Authorization Manager, an IAzApplicationGroup object represents a group of users. Roles can then be
assigned to this group of users collectively. An IAzApplicationGroup object can also include other
IAzApplicationGroup objects as members. For more information about application groups, see Users and
Groups.
A group can be defined either by explicit lists of members and nonmembers, or by a Lightweight Directory
Access Protocol (LDAP) query. The following examples show how to create each type of application group:
Creating a Basic Group
Creating an LDAP Query Group
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#pragma comment(lib, "duser.lib")
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
IAzApplicationGroup* pAppGroup = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
BSTR groupName = NULL;
BSTR sidString = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Clean up resources.
pStore->Release();
pAppGroup->Release();
SysFreeString(storeName);
SysFreeString(groupName);
SysFreeString(sidString);
VariantClear(&myVar);
CoUninitialize();
}
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#define _WIN32_WINNT 0x0502
#endif
#pragma comment(lib, "duser.lib")
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
IAzApplicationGroup* pAppGroup = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
BSTR groupName = NULL;
BSTR ldapString = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
VARIANT myVar;
myVar.vt = VT_NULL;
// Clean up resources.
pStore->Release();
pAppGroup->Release();
SysFreeString(storeName);
SysFreeString(groupName);
SysFreeString(ldapString);
CoUninitialize();
}
In Authorization Manager, an application group is a group of users and user groups. An application group can
contain other application groups, so groups of users can be nested. An application group is represented by an
IAzApplicationGroup object.
To allow members of an application group to perform a task or set of tasks, assign that application group to a
role that contains those tasks. Roles are represented by IAzRole objects.
The following example shows how to create an application group, add a user as a member of the application
group, and assign the application group to an existing role. The example assumes that there is an existing XML
policy store named MyStore.xml in the root directory of drive C, that this store contains an application named
Expense, and that this application contains a role named Expense Administrator.
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#pragma comment(lib, "duser.lib")
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
#include <objbase.h>
void main(void){
IAzAuthorizationStore* pStore = NULL;
IAzApplication* pApp = NULL;
IAzApplicationGroup* pAppGroup = NULL;
IAzRole* pRole = NULL;
HRESULT hr;
void MyHandleError(char *s);
BSTR storeName = NULL;
BSTR appName = NULL;
BSTR groupName = NULL;
BSTR userName = NULL;
BSTR roleName = NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
hr = pAppGroup->AddMemberName(userName, myVar);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not add user to application group.");
// Clean up resources.
pStore->Release();
pApp->Release();
pAppGroup->Release();
pRole->Release();
SysFreeString(storeName);
SysFreeString(appName);
SysFreeString(groupName);
SysFreeString(roleName);
SysFreeString(userName);
VariantClear(&myVar);
CoUninitialize();
}
In Authorization Manager, an application determines whether a client is given access to an operation by calling
the AccessCheck method of an IAzClientContext object, which represents a client context.
An application can create a client context with a handle to a token, a domain and user name, or a string
representation of the security identifier (SID) of the client.
Use the InitializeClientContextFromToken , InitializeClientContextFromName , and
InitializeClientContextFromStringSid methods of the IAzApplication interface to create a client context.
The following example shows how to create an IAzClientContext object from a client token. The example
assumes that there is an existing XML policy store named MyStore.xml in the root directory of drive C, that this
store contains an application named Expense, and that the variable hToken contains a valid client token.
#include <windows.h>
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Clean up resources.
pStore->Release();
pApp->Release();
pClientContext->Release();
SysFreeString(storeName);
SysFreeString(appName);
VariantClear(&myVar);
CoUninitialize();
}
Use business rule scripts to provide run-time logic for checking access. For more information about business
rules, see Business Rules.
To assign a business rule to a task, first set the BizRuleLanguage property of the IAzTask object that
represents the task. The script must be in Visual Basic Scripting Edition or JScript. After you specify the script
language, set the BizRule property of the IAzTask object with a string representation of the script.
When checking access for an operation contained by a task that has an associated business rule, the application
must create two arrays of the same size to be passed as the varParameterNames and varParameterValues
parameters of the IAzClientContext::AccessCheck method. For information about creating a client context,
see Establishing a Client Context with Authorization Manager in C++.
The IAzClientContext::AccessCheck method creates an AzBizRuleContext object that is passed to the
business rule script. The script then sets the BusinessRuleResult property of the AzBizRuleContext object. A
value of TRUE indicates that access is granted, and a value of FALSE indicates that access is denied.
A business rule script cannot be assigned to an IAzTask object contained by a delegated IAzScope object.
The following example shows how to use a business rule script to check a client's access to an operation. The
example assumes that there is an existing XML policy store named MyStore.xml in the root directory of drive C,
that this store contains an application named Expense, a task named Submit Expense, and an operation named
UseFormControl, and that the variable hToken contains a valid client token.
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
VARIANT myVar;
VariantInit(&myVar);
VariantInit(&myVar);
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
hr = pTask->put_BizRule(bizRule);
if(!(SUCCEEDED(hr)))
MyHandleError("Could not assign business rule.");
MyHandleError("Could not assign business rule.");
hr = pOperation->get_OperationID(&operationID);
if(!(SUCCEEDED(hr)))
MyHandleError("Could not get operation ID.");
hr = SafeArrayPutElement(varOperationIdArray.parray, index,
&varOperationId);
if(!(SUCCEEDED(hr)))
MyHandleError("Could not put operation ID in array.");
// Check access.
hr = pClientContext->AccessCheck(
objectName,
myVar, // use default application scope
varOperationIdArray,
varParamName,
varParamValue,
myVar,
myVar,
myVar,
&varResultsArray);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not complete access check.");
if (varResult.lVal == 0)
printf("Access granted.\n");
else
printf("Access denied.\n");
// Clean up resources.
pStore->Release();
pApp->Release();
pOperation->Release();
pClientContext->Release();
pTask->Release();
SysFreeString(storeName);
SysFreeString(appName);
SysFreeString(operationName);
SysFreeString(objectName);
SysFreeString(taskName);
SysFreeString(bizRule);
SysFreeString(bizRuleLanguage);
VariantClear(&myVar);
VariantClear(&varOperationIdArray);
VariantClear(&varOperationId);
VariantClear(&varResultsArray);
VariantClear(&varResult);
VariantClear(&varParamName);
VariantClear(&varParamValue);
VariantClear(&nameString);
VariantClear(&expenseAmount);
CoUninitialize();
}
You can use ACLs to control access to protected resources. Define which clients have access to which resources
by creating and modifying the ACLs associated with those resources and by enabling and disabling client
privileges.
TO P IC DESC RIP T IO N
Modifying the ACLs of an Object in C++ Add or remove an access control entry (ACE) to the
discretionary access control list (DACL) of an object.
Creating a Security Descriptor for a New Object in C++ Create a security descriptor for a new object.
Controlling Child Object Creation in C++ Use the DACL of a container object to control who is allowed
to create child objects within the container.
Enabling and Disabling Privileges in C++ Allow or disallow a process to perform system-level actions.
Modifying the ACLs of an Object in C++
3/5/2021 • 2 minutes to read • Edit Online
The following example adds an access control entry (ACE) to the discretionary access control list (DACL) of an
object.
The AccessMode parameter determines the type of new ACE and how the new ACE is combined with any
existing ACEs for the specified trustee. Use the GRANT_ACCESS, SET_ACCESS, DENY_ACCESS, or
REVOKE_ACCESS flags in the AccessMode parameter. For information about these flags, see ACCESS_MODE .
Similar code can be used to work with a system access control list (SACL). Specify
SACL_SECURITY_INFORMATION in the GetNamedSecurityInfo and SetNamedSecurityInfo functions to get
and set the SACL for the object. Use the SET_AUDIT_SUCCESS, SET_AUDIT_FAILURE, and REVOKE_ACCESS flags
in the AccessMode parameter. For information about these flags, see ACCESS_MODE .
Use this code to add an object-specific ACE to the DACL of a directory service object. To specify the GUIDs in an
object-specific ACE, set the TrusteeForm parameter to TRUSTEE_IS_OBJECTS_AND_NAME or
TRUSTEE_IS_OBJECTS_AND_SID and set the pszTrustee parameter to be a pointer to an OBJECTS_AND_NAME
or OBJECTS_AND_SID structure.
This example uses the GetNamedSecurityInfo function to get the existing DACL. Then it fills an
EXPLICIT_ACCESS structure with information about an ACE and uses the SetEntriesInAcl function to merge
the new ACE with any existing ACEs in the DACL. Finally, the example calls the SetNamedSecurityInfo function
to attach the new DACL to the security descriptor of the object.
#include <windows.h>
#include <stdio.h>
DWORD AddAceToObjectsSecurityDescriptor (
LPTSTR pszObjName, // name of object
SE_OBJECT_TYPE ObjectType, // type of object
LPTSTR pszTrustee, // trustee for new ACE
TRUSTEE_FORM TrusteeForm, // format of trustee structure
DWORD dwAccessRights, // access mask for new ACE
ACCESS_MODE AccessMode, // type of ACE
DWORD dwInheritance // inheritance flags for new ACE
)
{
DWORD dwRes = 0;
PACL pOldDACL = NULL, pNewDACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;
if (NULL == pszObjName)
return ERROR_INVALID_PARAMETER;
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = dwAccessRights;
ea.grfAccessMode = AccessMode;
ea.grfInheritance= dwInheritance;
ea.Trustee.TrusteeForm = TrusteeForm;
ea.Trustee.ptstrName = pszTrustee;
Cleanup:
if(pSD != NULL)
LocalFree((HLOCAL) pSD);
if(pNewDACL != NULL)
LocalFree((HLOCAL) pNewDACL);
return dwRes;
}
Creating a Security Descriptor for a New Object in
C++
3/5/2021 • 2 minutes to read • Edit Online
The following example creates a security descriptor for a new registry key using the following process. Similar
code can be used to create a security descriptor for other object types.
The example fills an array of EXPLICIT_ACCESS structures with the information for two ACEs. One ACE
allows read access to everyone; the other ACE allows full access to administrators.
The EXPLICIT_ACCESS array is passed to the SetEntriesInAcl function to create a DACL for the security
descriptor.
After allocating memory for the security descriptor, the example calls the InitializeSecurityDescriptor and
SetSecurityDescriptorDacl functions to initialize the security descriptor and attach the DACL.
The security descriptor is then stored in a SECURITY_ATTRIBUTES structure and passed to the
RegCreateKeyEx function, which attaches the security descriptor to the newly created key.
#include <windows.h>
#include <stdio.h>
#include <aclapi.h>
#include <tchar.h>
void main()
{
if (!InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION))
{
_tprintf(_T("InitializeSecurityDescriptor Error %u\n"),
GetLastError());
goto Cleanup;
}
Cleanup:
Cleanup:
if (pEveryoneSID)
FreeSid(pEveryoneSID);
if (pAdminSID)
FreeSid(pAdminSID);
if (pACL)
LocalFree(pACL);
if (pSD)
LocalFree(pSD);
if (hkSub)
RegCloseKey(hkSub);
return;
}
Controlling Child Object Creation in C++
3/5/2021 • 2 minutes to read • Edit Online
You can use the DACL of a container object to control who is allowed to create child objects within the container.
This can be important because the creator of an object is typically assigned as the object's owner, and an object's
owner can control access to the object.
The various types of container objects have specific access rights that control the ability to create child objects.
For example, a thread must have KEY_CREATE_SUB_KEY access to a registry key to create a subkey under the
key. The DACL of a registry key can contain ACEs that allow or deny this access right. Similarly, NTFS supports
the FILE_ADD_FILE and FILE_ADD_SUBDIRECTORY access rights for controlling the ability to create files or
directories in a directory.
The ADS_RIGHT_DS_CREATE_CHILD access right controls the creation of child objects in a directory service (DS)
object. However, DS objects can contain different types of objects, so the system supports a finer granularity of
control. You can use object-specific ACEs to allow or deny the right to create a specified type of child object. You
can allow a user to create one type of child object while preventing the user from creating other types of child
objects.
The following example uses the SetEntriesInAcl function to add an object-specific ACE to an ACL. The ACE
grants permission to create a specified type of child object. The grfAccessPermissions member of the
EXPLICIT_ACCESS structure is set to ADS_RIGHT_DS_CREATE_CHILD to indicate that the ACE controls the child
object creation. The ObjectsPresent member of the OBJECTS_AND_SID structure is set to
ACE_OBJECT_TYPE_PRESENT to indicate that the ObjectTypeGuid member contains a valid GUID. The GUID
identifies a type of child object whose creation is being controlled.
In the following example, pOldDACL must be a valid pointer to an existing ACL structure. For information about
how to create an ACL structure for an object, see Creating a Security Descriptor for a New Object in C++.
DWORD dwRes;
PACL pOldDACL = NULL;
PACL pNewDACL = NULL;
GUID guidChildObjectType = GUID_NULL; // GUID of object to control creation of
PSID pTrusteeSID = NULL; // trustee for new ACE
EXPLICIT_ACCESS ea;
OBJECTS_AND_SID ObjectsAndSID;
ZeroMemory(&ObjectsAndSID, sizeof(OBJECTS_AND_SID));
ObjectsAndSID.ObjectsPresent = ACE_OBJECT_TYPE_PRESENT;
ObjectsAndSID.ObjectTypeGuid = guidChildObjectType;
ObjectsAndSID.InheritedObjectTypeGuid = GUID_NULL;
ObjectsAndSID.pSid = (SID *)pTrusteeSID;
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = ADS_RIGHT_DS_CREATE_CHILD;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_OBJECTS_AND_SID;
ea.Trustee.ptstrName = (LPTSTR) &ObjectsAndSID;
Enabling a privilege in an access token allows the process to perform system-level actions that it could not
previously. Your application should thoroughly verify that the privilege is appropriate to the type of account,
especially for the following powerful privileges.
Before enabling any of these potentially dangerous privileges, determine that functions or operations in your
code actually require the privileges. For example, very few functions in the operating system actually require the
SeTcbPrivilege . For a list of all the available privileges, see Privilege Constants.
The following example shows how to enable or disable a privilege in an access token. The example calls the
LookupPrivilegeValue function to get the locally unique identifier (LUID) that the local system uses to identify
the privilege. Then the example calls the AdjustTokenPrivileges function, which either enables or disables the
privilege that depends on the value of the bEnablePrivilege parameter.
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "cmcfg32.lib")
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if ( !LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid ) ) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
if ( !AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError() );
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege. \n");
return FALSE;
}
return TRUE;
}
Establishing a Client Context from a SID in C++
3/5/2021 • 2 minutes to read • Edit Online
Use a security identifier (SID) to identify a user, group, or computer account. Use SIDs to check access rights to
resources.
TO P IC DESC RIP T IO N
Searching for a SID in an Access Token in C++ Find a SID in an access token.
Converting a Binary SID to String Format in C++ Convert a SID to and from string format.
Searching for a SID in an Access Token in C++
3/5/2021 • 2 minutes to read • Edit Online
The following example uses the OpenProcessToken and GetTokenInformation functions to get the group
memberships in an access token. Then it uses the AllocateAndInitializeSid function to create a SID that
identifies the well-known SID of the administrator group for the local computer. Next, it uses the EqualSid
function to compare the well-known SID with the group SIDs from the access token. If the SID is present in the
token, the function checks the attributes of the SID to determine whether it is enabled.
The CheckTokenMembership function should be used to determine whether a specified SID is present and
enabled in an access token. This function eliminates potential misinterpretations of the active group
membership.
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "advapi32.lib")
// Loop through the group SIDs looking for the administrator SID.
dwSize = MAX_NAME;
if( !LookupAccountSid( NULL, pGroupInfo->Groups[i].Sid,
lpName, &dwSize, lpDomain,
&dwSize, &SidType ) )
{
dwResult = GetLastError();
if( dwResult == ERROR_NONE_MAPPED )
strcpy_s (lpName, dwSize, "NONE_MAPPED" );
else
{
printf("LookupAccountSid Error %u\n", GetLastError());
return FALSE;
}
}
printf( "Current user is a member of the %s\\%s group\n",
lpDomain, lpName );
if (pSID)
FreeSid(pSID);
if ( pGroupInfo )
GlobalFree( pGroupInfo );
return TRUE;
}
Converting a Binary SID to String Format in C++
3/5/2021 • 2 minutes to read • Edit Online
The Conver tSidToStringSid and Conver tStringSidToSid functions convert a security identifier (SID) to and
from string format. For a description of the SID string format, see SID Components.
Verifying Client Access with ACLs in C++
3/5/2021 • 2 minutes to read • Edit Online
The following example shows how a server could check the access rights that a security descriptor allows for a
client. The example uses the ImpersonateNamedPipeClient function; however, it would work the same using
any of the other impersonation functions. After impersonating the client, the example calls the
OpenThreadToken function to get the impersonation token. Then, it calls the MapGenericMask function to
convert any generic access rights to the corresponding specific and standard rights according to the mapping
specified in the GENERIC_MAPPING structure.
The AccessCheck function checks the requested access rights against the rights allowed for the client in the
DACL of the security descriptor. To check access and generate an entry in the security event log, use the
AccessCheckAndAuditAlarm function.
#include <windows.h>
#pragma comment(lib, "advapi32.lib")
BOOL ImpersonateAndCheckAccess(
HANDLE hNamedPipe, // handle of pipe to impersonate
PSECURITY_DESCRIPTOR pSD, // security descriptor to check
DWORD dwAccessDesired, // access rights to check
PGENERIC_MAPPING pGeneric, // generic mapping for object
PDWORD pdwAccessAllowed // returns allowed access rights
)
{
HANDLE hToken;
PRIVILEGE_SET PrivilegeSet;
DWORD dwPrivSetSize = sizeof( PRIVILEGE_SET );
BOOL fAccessGranted=FALSE;
if (! ImpersonateNamedPipeClient(hNamedPipe) )
return FALSE;
if( !AccessCheck(
pSD, // security descriptor to check
hToken, // impersonation token
dwAccessDesired, // requested access rights
pGeneric, // pointer to GENERIC_MAPPING
&PrivilegeSet, // receives privileges used in check
&dwPrivSetSize, // size of PrivilegeSet buffer
pdwAccessAllowed, // receives mask of allowed access rights
&fAccessGranted )) // receives results of access check
{
goto Cleanup;
}
Cleanup:
RevertToSelf();
if (hToken != INVALID_HANDLE_VALUE)
CloseHandle(hToken);
return fAccessGranted;
}
Finding the Owner of a File Object in C++
3/5/2021 • 2 minutes to read • Edit Online
The following example uses the GetSecurityInfo and LookupAccountSid functions to find and print the
name of the owner of a file. The file exists in the current working directory on the local server.
#include <stdio.h>
#include <windows.h>
#include <tchar.h>
#include "accctrl.h"
#include "aclapi.h"
#pragma comment(lib, "advapi32.lib")
int main(void)
{
DWORD dwRtnCode = 0;
PSID pSidOwner = NULL;
BOOL bRtnBool = TRUE;
LPTSTR AcctName = NULL;
LPTSTR DomainName = NULL;
DWORD dwAcctName = 1, dwDomainName = 1;
SID_NAME_USE eUse = SidTypeUnknown;
HANDLE hFile;
PSECURITY_DESCRIPTOR pSD = NULL;
dwErrorCode = GetLastError();
_tprintf(TEXT("CreateFile error = %d\n"), dwErrorCode);
return -1;
}
dwErrorCode = GetLastError();
_tprintf(TEXT("GlobalAlloc error = %d\n"), dwErrorCode);
return -1;
}
DomainName = (LPTSTR)GlobalAlloc(
GMEM_FIXED,
dwDomainName);
dwErrorCode = GetLastError();
_tprintf(TEXT("GlobalAlloc error = %d\n"), dwErrorCode);
return -1;
dwErrorCode = GetLastError();
if (dwErrorCode == ERROR_NONE_MAPPED)
_tprintf(TEXT
("Account owner not found for specified SID.\n"));
else
_tprintf(TEXT("Error in LookupAccountSid.\n"));
return -1;
return 0;
}
Taking Object Ownership in C++
3/5/2021 • 3 minutes to read • Edit Online
The following example tries to change the DACL of a file object by taking ownership of that object. This will
succeed only if the caller has WRITE_DAC access to the object or is the owner of the object. If the initial attempt
to change the DACL fails, an administrator can take ownership of the object. To give the administrator
ownership, the example enables the SE_TAKE_OWNERSHIP_NAME privilege in the caller's access token, and
makes the local system's Administrators group the owner of the object. If the caller is a member of the
Administrators group, the code will then be able to change the object's DACL.
To enable and disable privileges, this example uses the SetPrivilege sample function described in Enabling and
Disabling Privileges in C++.
#include <windows.h>
#include <stdio.h>
#include <accctrl.h>
#include <aclapi.h>
if (ERROR_SUCCESS != SetEntriesInAcl(NUM_ACES,
ea,
NULL,
&pACL))
{
printf("Failed SetEntriesInAcl\n");
goto Cleanup;
}
if (ERROR_SUCCESS == dwRes)
{
printf("Successfully changed DACL\n");
bRetval = TRUE;
// No more processing needed.
goto Cleanup;
}
if (dwRes != ERROR_ACCESS_DENIED)
{
printf("First SetNamedSecurityInfo call failed: %u\n",
dwRes);
goto Cleanup;
}
if (dwRes != ERROR_SUCCESS)
{
printf("Could not set owner. Error: %u\n", dwRes);
goto Cleanup;
}
if (dwRes == ERROR_SUCCESS)
{
printf("Successfully changed DACL\n");
bRetval = TRUE;
}
else
{
printf("Second SetNamedSecurityInfo call failed: %u\n",
dwRes);
}
Cleanup:
if (pSIDAdmin)
FreeSid(pSIDAdmin);
if (pSIDEveryone)
FreeSid(pSIDEveryone);
if (pACL)
LocalFree(pACL);
if (hToken)
CloseHandle(hToken);
return bRetval;
}
Using Authorization in Script
3/5/2021 • 2 minutes to read • Edit Online
You can use the Authorization Manager API to control access to application resources.
The examples in this section are written using Visual Basic Scripting Edition (VBScript) and Active Server Pages
(ASP).
For information about other authorization tasks, see Supporting Tasks in Script.
TO P IC DESC RIP T IO N
Defining Permissions in Script Define which users have access to which application
resources by creating an authorization policy store.
Verifying Client Access to a Requested Resource in Script Check whether the client has access to one or more
operations.
Delegating the Defining of Permissions in Script Delegate the administration of authorization policy stores
that are stored in Active Directory.
Defining Permissions in Script
3/5/2021 • 2 minutes to read • Edit Online
In Authorization Manager, you define which users have access to which application resources by creating an
authorization policy store.
To define access permissions
1. Create the store where the authorization policy is defined:
Creating an Authorization Policy Store in Script
2. Create a section in the authorization policy store for a specific application:
Creating an Application Object in Script
3. Define operations that the application implements to access and modify resources:
Defining Operations in Script
4. Group operations into high-level tasks that users want to perform:
Grouping Operations into Tasks in Script
5. Define roles that consist of groups of tasks:
Grouping Tasks into Roles in Script
A user that is assigned to a role has permission to perform any task assigned to that role. 6. Create scripts to qualify
access to tasks at run time:
Qualifying Access with Business Logic in Script
This step is optional. 7. Define groups of users:
Defining Groups of Users in Script
These groups can then be assigned to roles to determine which tasks they can perform. 8. Add users to user groups:
Adding Users to an Application Group in Script
Verifying Client Access to Requested Resources in
Script
3/5/2021 • 2 minutes to read • Edit Online
Call the AccessCheck method of an IAzClientContext object to check whether the client has access to one or
more operations. For information about creating an IAzClientContext object, see Establishing a Client Context
in Script.
A client might have membership in more than one role, and an operation might be assigned to more than one
task, so Authorization Manager checks for all roles and tasks. If any role to which the client belongs contains any
task that contains an operation, access to that operation is granted.
To check access for only a single role to which the client belongs, set the RoleForAccessCheck property of the
IAzClientContext object.
When initializing the authorization policy store for access check, you must pass zero as the value of the lFlags
parameter of the Initialize method of the AzAuthorizationStore object.
It is also possible to apply business logic at run time to qualify access. For information about qualifying access
with business logic, see Qualifying Access with Business Logic in Script.
The following example shows how to check a client's access to an operation. The example assumes that there is
an existing XML policy store named MyStore.xml in the root directory of drive C, and that this store contains an
application named Expense and an operation named UseFormControl.
<%@ Language=VBScript %>
<%
' Create the AzAuthorizationStore object.
Dim AzManStore
Set AzManStore = CreateObject("AzRoles.AzAuthorizationStore")
Results = _
clientContext.AccessCheck("UseFormControl", Empty, Operations)
%>
Delegating the Defining of Permissions in Script
3/5/2021 • 2 minutes to read • Edit Online
You can delegate the administration of authorization policy stores that are stored in Active Directory.
Administration can be delegated to users and groups at the store, application, or scope level.
At each level, there is a list of administrators and readers. Administrators of a store, application, or scope can
read and modify the policy store at the delegated level. Readers can read the policy store at the delegated level
but cannot modify the store.
A user or group that is either an administrator or a reader of an application must also be added as a delegated
user of the policy store that contains that application. Similarly, a user or group that is an administrator or a
reader of a scope must be added as a delegated user of the application that contains that scope.
To delegate administration of a scope
1. Add the user or group to the list of delegated users of the store that contains the scope by calling the
AddDelegatedPolicyUser method of the AzAuthorizationStore object that contains the scope.
2. Add the user or group to the list of delegated users of the application that contains the scope by calling the
AddDelegatedPolicyUser method of the IAzApplication object that contains the scope.
3. Add the user or group to the list of administrators of the scope by calling the AddPolicyAdministrator
method of the IAzScope object.
NOTE
XML-based policy stores do not support delegation at any level.
If a scope within an authorization store that is stored in Active Directory contains task definitions that include
authorization rules or role definitions that include authorization rules, the scope cannot be delegated.
The following example shows how to delegate administration of an application. The example assumes that there
is an existing Active Directory authorization policy store at the specified location, that this policy store contains
an application named Expense, and that this application contains no tasks with business rule scripts.
' Create the AzAuthorizationStore object.
Dim AzManStore
Set AzManStore = CreateObject("AzRoles.AzAuthorizationStore")
The following tasks support the main tasks listed in Using Authorization in Script.
TO P IC DESC RIP T IO N
Creating an Authorization Policy Store in Script Create an authorization policy before or during the
installation of an application.
Establishing a Client Context in Script Create a client context with a handle to a token, a domain
and user name, or a string representation of the security
identifier (SID) of the client.
Qualifying Access with Business Logic in Script Provide run-time logic for checking access.
Creating an Authorization Policy Store in Script
3/5/2021 • 2 minutes to read • Edit Online
TO P IC DESC RIP T IO N
Creating an Authorization Policy Store Object in Script An authorization policy store contains information about the
security policy of an application or group of applications.
Creating an Application Object in Script For each application that uses an authorization policy store,
you must create an IAzApplication object and save it to a
policy store.
Grouping Operations into Tasks in Script A task is a high-level action that users of an application need
to complete. Tasks are made up of operations, which are
low-level functions and methods of the application.
Grouping Tasks into Roles in Script A role represents a category of users and the tasks those
users are authorized to perform.
Adding Users to an Application Group in Script An application group is a group of users and user groups.
An application group can contain other application groups,
so groups of users can be nested. An application group is
represented by an IAzApplicationGroup object.
Creating an Authorization Policy Store Object in
Script
3/5/2021 • 3 minutes to read • Edit Online
An authorization policy store contains information about the security policy of an application or group of
applications. The information includes the applications, operations, tasks, users, and groups of users associated
with the store. When an application that uses Authorization Manager initializes, it loads this information from
the store. The authorization policy store must be located on a trusted system because administrators on that
system have a high degree of access to the store.
Authorization Manager supports storing authorization policy either in the Active Directory directory service or
in an XML file as shown in the following examples. In the Authorization Manager API, an authorization policy
store is represented by an AzAuthorizationStore object. The examples show how to create an
AzAuthorizationStore object for an Active Directory store and an XML store.
Creating an Active Directory Store
Creating a SQL Server Store
Creating an XML Store
NOTE
Connections to a SQL Server store are not encrypted unless you explicitly set up SQL encryption for the connection or set
up encryption of the network traffic that uses Internet Protocol Security (IPsec).
The following example shows how to create an AzAuthorizationStore object that represents an authorization
policy store in a SQL Server database.
An authorization policy store contains authorization policy information for one or more applications. For each
application that uses an authorization policy store, you must create an IAzApplication object and save it to a
policy store.
The following example shows how to create an IAzApplication object that represents an application and how
to add the IAzApplication object to the authorization policy store the application uses. The example assumes
that there is an existing XML policy store named MyStore.xml in the root directory of drive C.
In Authorization Manager an operation is a low-level function or method of an application. These operations are
grouped together as tasks. Users of the application request permission to complete tasks. An operation is
represented by an IAzOperation object. For more information about operations, see Operations and Tasks.
The following example shows how to define operations in an authorization policy store. The example assumes
that there is an existing XML policy store named MyStore.xml in the root directory of drive C, and that this store
contains an application named Expense.
In Authorization Manager, a task is a high-level action that users of an application need to complete. Tasks are
made up of operations, which are low-level functions and methods of the application. A task is then assigned to
those roles that must perform that task. A task is represented by an IAzTask object. For more information about
operations and tasks, see Operations and Tasks.
The following example shows how to group operations to create a task. The example assumes that there is an
existing XML policy store named MyStore.xml in the root directory of drive C, that this store contains an
application named Expense, and that this application contains operations defined in the topic Defining
Operations in Script.
In Authorization Manager, a role represents a category of users and the tasks those users are authorized to
perform. Tasks are grouped together and assigned to a role definition, which is represented by an IAzTask
object with its IsRoleDefinition property set to True . The role definition can then be assigned to an IAzRole
object, and users or groups of users are then assigned to that object. For more information about tasks and
roles, see Roles.
The following example shows how to assign tasks to a role definition, create a role object, and assign the role
definition to the role object. The example assumes that there is an existing XML policy store named MyStore.xml
in the root directory of drive C, that this store contains an application named Expense, and that this application
contains tasks named Submit Expense and Approve Expense.
In Authorization Manager, an IAzApplicationGroup object represents a group of users. Roles can then be
assigned to this group of users collectively. An IAzApplicationGroup object can also include other
IAzApplicationGroup objects as members. For more information about application groups, see Users and
Groups.
A group can be defined either by explicit lists of members and nonmembers or by a Lightweight Directory
Access Protocol (LDAP) query. The following examples show how to create each type of application group:
Creating a Basic Group
Creating an LDAP Query Group
' Add a well-known SID for all local users to the group.
appGroup.AddMember("S-1-1-0")
In Authorization Manager, an application group is a group of users and user groups. An application group can
contain other application groups, so groups of users can be nested. An application group is represented by an
IAzApplicationGroup object.
To allow members of an application group to perform a task or set of tasks
Assign that application group to a role that contains those tasks.
Roles are represented by IAzRole objects.
The following example shows how to create an application group, add a user as a member of the application
group, and assign the application group to an existing role. The example assumes that there is an existing XML
policy store named MyStore.xml in the root directory of drive C, that this store contains an application named
Expense, and that this application contains a role named Expense Administrator.
In Authorization Manager, an application determines whether a client is given access to an operation by calling
the AccessCheck method of an IAzClientContext object, which represents a client context.
An application can create a client context with a handle to a token, a domain and user name, or a string
representation of the security identifier (SID) of the client.
Use the InitializeClientContextFromToken , InitializeClientContextFromName , and
InitializeClientContextFromStringSid methods of an IAzApplication object to create a client context.
The following example shows how to create an IAzClientContext object from a client name. The example
assumes that there is an existing XML policy store named MyStore.xml in the root directory of drive C, and that
this store contains an application named Expense.
%>
Qualifying Access with Business Logic in Script
3/5/2021 • 2 minutes to read • Edit Online
Use business rule scripts to provide run-time logic for checking access. For more information about business
rules, see Business Rules.
To assign a business rule to a task, first set the BizRuleLanguage property of the IAzTask object that
represents the task. The script must be written using the Visual Basic Scripting Edition (VBScript) programming
language or JScript development software. After you specify the script language, set the BizRule property of the
IAzTask object with a string representation of the script.
When checking access for an operation contained by a task that has an associated business rule, the application
must create two arrays of the same size to be passed as the varParameterNames and varParameterValues
parameters of the AccessCheck method of an IAzClientContext object. For information about creating a
client context, see Establishing a Client Context in Script.
The AccessCheck method creates an AzBizRuleContext object that is passed to the business rule script. The
script then sets the BusinessRuleResult property of the AzBizRuleContext object. A value of True indicates
that access is granted, and a value of False indicates that access is denied.
A business rule script cannot be assigned to an IAzTask object contained by a delegated IAzScope object.
The following example shows how to use a business rule script to check a client's access to an operation. The
example assumes that there is an existing XML policy store named MyStore.xml in the root directory of drive C,
and that this store contains an application named Expense, a task named Submit Expense, and an operation
named UseFormControl.
%>
Using Authz API
3/5/2021 • 2 minutes to read • Edit Online
Authz API allows applications to perform customizable access checks with better performance and more
simplified development than Low-level Access Control.
Authz API allows applications to cache access checks for improved performance, to query and modify client
contexts, and to define business rules that can be used to evaluate access permission dynamically.
In This Section
TO P IC DESC RIP T IO N
Initializing a Client Context An application must create a client context before it can use
Authz API to perform access checks or auditing.
Adding SIDs to a Client Context An application can add security identifiers (SIDs) to an
existing client context by calling the
AuthzAddSidsToContext function.
Checking Access with Authz API Applications determine whether to grant access to securable
objects by calling the AuthzAccessCheck function.
Caching Access Checks When an application performs an access check by calling the
AuthzAccessCheck function, the results of that access
check can be cached.
Initializing a Client Context
3/5/2021 • 2 minutes to read • Edit Online
An application must create a client context before it can use Authz API to perform access checks or auditing.
An application must call the AuthzInitializeResourceManager function to initialize the resource manager. The
application can then call one of several functions to create a client context. Additionally, if you are performing
access checks or auditing remotely, you must use the AuthzInitializeRemoteResourceManager function.
To create a client context based on an existing client context, call the
AuthzInitializeContextFromAuthzContext function.
The AuthzInitializeContextFromToken function creates a new client context by using information in a logon
token. The AuthzInitializeContextFromSid function creates a new client context by using the specified SID .
If possible, call the AuthzInitializeContextFromToken function instead of AuthzInitializeContextFromSid .
AuthzInitializeContextFromSid attempts to retrieve the information available in a logon token had the client
actually logged on. An actual logon token provides more information, such as logon type and logon properties,
and reflects the behavior of the authentication package used for the logon. The client context created by
AuthzInitializeContextFromToken uses a logon token, and the resulting client context is more complete and
accurate than a client context created by AuthzInitializeContextFromSid .
NOTE
Security attribute variables must be present in the client context if referred to in a conditional expression; otherwise, the
conditional expression term referencing them will be evaluated as unknown. For more information on conditional
expressions, see the Security Descriptor Definition Language for Conditional ACEs topic.
Example
The following example initializes the Authz resource manager and calls the
AuthzInitializeContextFromToken function to create a client context from the logon token associated with
the current process.
BOOL AuthzInitFromToken(AUTHZ_CLIENT_CONTEXT_HANDLE *phClientContext)
{
ULONG uFlags = 0;
if(!AuthzInitializeContextFromToken(
0,
hToken,
g_hResourceManager,
NULL,
Luid,
NULL,
phClientContext
))
{
printf_s("AuthzInitializeContextFromToken failed with %d\n", GetLastError);
return FALSE;
}
Related topics
Adding SIDs to a Client Context
Caching Access Checks
Checking Access with Authz API
How AccessCheck Works
Querying a Client Context
Security Descriptor Definition Language for Conditional ACEs
AuthzInitializeRemoteResourceManager
AuthzInitializeResourceManager
Querying a Client Context
3/5/2021 • 2 minutes to read • Edit Online
Applications can call the AuthzGetInformationFromContext function to query information about an existing
client context.
The InfoClass parameter of the AuthzGetInformationFromContext function takes a value from the
AUTHZ_CONTEXT_INFORMATION_CL ASS enumeration that specifies what type of information the function
queries.
Security attribute variables must be present in the client context if referred to in a conditional expression;
otherwise, the conditional expression term referencing them will be evaluated as unknown. For more
information on conditional expressions, see the Security Descriptor Definition Language for Conditional ACEs
topic.
Example
The following example queries the client context created in the example from Initializing a Client Context to
retrieve the list of SIDs of groups associated with that client context.
BOOL GetGroupsFromContext(AUTHZ_CLIENT_CONTEXT_HANDLE hClientContext)
{
DWORD cbSize = 0;
PTOKEN_GROUPS pTokenGroups=NULL;
LPTSTR StringSid = NULL;
BOOL bResult = FALSE;
int i = 0;
//Call the AuthzGetInformationFromContext function with a NULL output buffer to get the required buffer
size.
AuthzGetInformationFromContext(hClientContext, AuthzContextInfoGroupsSids, 0, &cbSize, NULL);
free(pTokenGroups);
return TRUE;
}
Related topics
Adding SIDs to a Client Context
Caching Access Checks
Checking Access with Authz API
How AccessCheck Works
Initializing a Client Context
Security Descriptor Definition Language for Conditional ACEs
Adding SIDs to a Client Context
3/5/2021 • 2 minutes to read • Edit Online
An application can add security identifiers (SIDs) to an existing client context by calling the
AuthzAddSidsToContext function. The AuthzAddSidsToContext function allows an application to specify
both a list of SIDs and a list of restricting SIDs to the specified client context.
The system uses the list of restricting SIDs when it checks the token's access to a securable object. When a
restricted process or thread tries to access a securable object, the system performs two access checks: one using
the token's enabled SIDs, and another using the list of restricting SIDs. Access is granted only if both access
checks allow the requested access rights.
Attribute variables must be in the form of an expression when used with logical operators; otherwise, they are
evaluated as unknown.
Example
The following example adds a SID and a restricting SID to the client context created by the example in Initializing
a Client Context.
//Set the members of the SID_AND_ATTRIBUTES structure for the restricting SID.
RestrictedSids.Sid = pLocalSid;
RestrictedSids.Attributes = SE_GROUP_ENABLED;
//Create a new context with the new "Everyone" SID and "Local" restricting SID.
if(!AuthzAddSidsToContext(
*phClientContext,
&Sids,
1,
1,
&RestrictedSids,
1,
&NewContext))
{
printf_s("AuthzAddSidsToContext failed with %d\n", GetLastError());
if(pEveryoneSid)
{
FreeSid(pEveryoneSid);
}
if(pLocalSid)
{
FreeSid(pLocalSid);
}
return FALSE;
}
if(pEveryoneSid)
{
FreeSid(pEveryoneSid);
}
if(pLocalSid)
{
FreeSid(pLocalSid);
}
AuthzFreeContext(*phClientContext);
*phClientContext = NewContext;
return TRUE;
Related topics
Caching Access Checks
Checking Access with Authz API
Initializing a Client Context
Querying a Client Context
Checking Access with Authz API
3/5/2021 • 2 minutes to read • Edit Online
Applications determine whether to grant access to securable objects by calling the AuthzAccessCheck
function.
The AuthzAccessCheck function takes both AUTHZ_ACCESS_REQUEST and SECURITY_DESCRIPTOR
structures as parameters. The AUTHZ_ACCESS_REQUEST structure specifies a level of access requested. The
AuthzAccessCheck function evaluates the requested access against the specified SECURITY_DESCRIPTOR
for a specified client context. For information about how a security descriptor controls access to an object, see
How DACLs Control Access to an Object.
Attribute variables must be in the form of an expression when used with logical operators; otherwise, they are
evaluated as unknown.
Callback Function
If the discretionary access control list (DACL) of the SECURITY_DESCRIPTOR of the object to be checked
contains any callback access control entries (ACEs), AuthzAccessCheck calls the AuthzAccessCheckCallback
function for each callback ACE contained in the DACL. A callback ACE is any ACE structure whose ACE type
contains the word "callback." The AuthzAccessCheckCallback function is an application-defined function that
must be registered when the resource manager is initialized by calling the AuthzInitializeResourceManager
function.
A callback function allows an application to define business logic to be evaluated at runtime. When the
AuthzAccessCheckCallback function is called, the callback ACE that caused the call is passed to the callback
function for evaluation. If the application-defined logic evaluates as TRUE , then the callback ACE is included in
the access check. Otherwise, it is ignored.
Example
The following example creates a SECURITY_DESCRIPTOR that allows READ_CONTROL access to built-in
administrators. It uses that security descriptor to check access for the client specified by the client context
created in the example in Initializing a Client Context.
//Call AuthzAccessCheck.
if(!AuthzAccessCheck(
0,
hClientContext,
&Request,
NULL,
pSecurityDescriptor,
NULL,
0,
pReply,
NULL))
{
printf_s("AuthzAccessCheck failed with %d\n", GetLastError());
LocalFree(pSecurityDescriptor);
return FALSE;
}
//Print results.
if(*pReply->GrantedAccessMask & READ_CONTROL)
{
printf_s("Access granted.\n");
}
else
{
printf_s("Access denied.\n");
}
LocalFree(pSecurityDescriptor);
return TRUE;
Related topics
Adding SIDs to a Client Context
Caching Access Checks
Initializing a Client Context
Querying a Client Context
Caching Access Checks
3/5/2021 • 2 minutes to read • Edit Online
When an application performs an access check by calling the AuthzAccessCheck function, the results of that
access check can be cached. When the pAuthzHandle parameter of the AuthzAccessCheck function is not
NULL , the function performs a separate access check, with a requested ACCESS_MASK of
MAXIMUM_ALLOWED , and caches the results of that check. A handle to the results of that check can then be
passed as the AuthzHandle parameter to the AuthzCachedAccessCheck function. This allows faster access
checking for a given client and security descriptors.
Only the static portion of an access check can be cached. Any callback access control entries (ACEs) or ACEs that
contain the PRINCIPAL_SELF SID must be evaluated for each access check.
Attribute variables must be in the form of an expression when used with logical operators; otherwise, they are
evaluated as unknown.
Example
The following example checks access against a cached result from a previous access check. The previous access
check was performed in the example in Checking Access with Authz API.
LocalFree(pSecurityDescriptor);
return FALSE;
}
//Call AuthzCachedAccessCheck with the cached result from the previous call.
if(!AuthzCachedAccessCheck(
0,
hCached,
&Request,
NULL,
pCachedReply))
{
printf_s("AuthzCachedAccessCheck failed with %d\n", GetLastError());
LocalFree(pSecurityDescriptor);
AuthzFreeHandle(hCached);
return FALSE;
}
//Print results.
if(*pCachedReply->GrantedAccessMask & READ_CONTROL)
{
printf_s("Access granted.\n");
}
else
{
printf_s("Access denied.\n");
}
LocalFree(pSecurityDescriptor);
AuthzFreeHandle(hCached);
return TRUE;
Related topics
Adding SIDs to a Client Context
Checking Access with Authz API
Initializing a Client Context
Querying a Client Context
Authorization Reference
3/5/2021 • 2 minutes to read • Edit Online
Authorization reference pages contain detailed descriptions of the Microsoft authorization functions, interfaces,
objects, structures, and other programming elements. These pages include reference descriptions of the API for
working with access controls including the access control editors.
Reference pages are divided into the following groups.
In this section
TO P IC DESC RIP T IO N
Account Rights Constants Account rights determine the type of logon that a user
account can perform. An administrator assigns account
rights to user and group accounts. Each user's account rights
include those granted to the user and to the groups to
which the user belongs.
Capability SID Constants Define for applications well-known capabilities by using the
AllocateAndInitializeSid function.
Account rights determine the type of logon that a user account can perform. An administrator assigns account
rights to user and group accounts. Each user's account rights include those granted to the user and to the
groups to which the user belongs.
A system administrator can use the Local Security Authority (LSA) functions to work with account rights. The
LsaAddAccountRights and LsaRemoveAccountRights functions add or remove account rights from an
account. The LsaEnumerateAccountRights function enumerates the account rights held by a specified
account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a specified
account right.
The following account right constants are used to control the logon ability of an account. The LogonUser or
LsaLogonUser functions fail if the account being logged on does not have the account rights required for the
type of logon being performed.
Remarks
The SE_DENY rights override the corresponding account rights. An administrator can assign an SE_DENY right
to an account to override any logon rights that an account might have as a result of a group membership. For
example, you could assign the SE_NETWORK_LOGON_NAME right to Everyone but assign the
SE_DENY_NETWORK_LOGON_NAME right to Administrators to prevent remote administration of computers.
All of the LSA functions mentioned in the introduction above support both account rights and privileges. Unlike
privileges, however, account rights are not supported by the LookupPrivilegeValue and
LookupPrivilegeName functions. The GetTokenInformation function will obtain information on account
rights if TokenGroups, and not TokenPrivileges, is specified as the value of the TokenInformationClass parameter.
The preceding account right constants are defined as strings in Ntsecapi.h. For example, the
SE_INTERACTIVE_LOGON_NAME constant is defined as "SeInteractiveLogonRight".
Requirements
REQ UIREM EN T VA L UE
Header
Ntsecapi.h
App Container SID Constants
3/5/2021 • 2 minutes to read • Edit Online
The app container specific SID constants dictate the application package authority. While a developer can use
these constants directly, most developers do not need to define these app container SIDs.
**SECURITY\_APP\_PACKAGE\_AUTHORITY** ({0,0,0,0,0,15})
**SECURITY\_APP\_PACKAGE\_BASE\_RID** (0x00000002L)
**SECURITY\_BUILTIN\_APP\_PACKAGE\_RID\_COUNT** (2L)
**SECURITY\_APP\_PACKAGE\_RID\_COUNT** (8L)
**SECURITY\_CAPABILITY\_BASE\_RID** (0x00000003L)
**SECURITY\_BUILTIN\_CAPABILITY\_RID\_COUNT** (2L)
**SECURITY\_CAPABILITY\_RID\_COUNT** (5L)
**SECURITY\_BUILTIN\_PACKAGE\_ANY\_PACKAGE** (0x00000001L)
Requirements
REQ UIREM EN T VA L UE
Header
Winnt.h
Auditing Constants
3/5/2021 • 2 minutes to read • Edit Online
Requirements
REQ UIREM EN T VA L UE
Header
Ntsecapi.h
Capability SID Constants
3/5/2021 • 2 minutes to read • Edit Online
The capability SID constants define for applications well-known capabilities by using the
AllocateAndInitializeSid function.
SECURITY_CAPABILITY_INTERNET_CLIENT
(0x00000001L)
An account has access to the Internet from a client computer.
SECURITY_CAPABILITY_INTERNET_CLIENT_SERVER
(0x00000002L)
An account has access to the Internet from the client and server computers.
SECURITY_CAPABILITY_PRIVATE_NETWORK_CLIENT_SERVER
(0x00000003L)
An account has access to the Internet from a private network.
SECURITY_CAPABILITY_PICTURES_LIBRARY
(0x00000004L)
An account has access to the pictures library.
SECURITY_CAPABILITY_VIDEOS_LIBRARY
(0x00000005L)
An account has access to the videos library.
SECURITY_CAPABILITY_MUSIC_LIBRARY
(0x00000006L)
An account has access to the music library.
SECURITY_CAPABILITY_DOCUMENTS_LIBRARY
(0x00000007L)
An account has access to the documentation library.
SECURITY_CAPABILITY_ENTERPRISE_AUTHENTICATION
(0x00000008L)
An account has access to the default Windows credentials.
SECURITY_CAPABILITY_SHARED_USER_CERTIFICATES
(0x00000009L)
An account has access to the shared user certificates.
SECURITY_CAPABILITY_REMOVABLE_STORAGE
(0x0000000AL)
An account has access to removable storage.
Remarks
When constructing a capability SID, you need to include the package authority,
SECURITY_APP_PACKAGE_AUTHORITY {0,0,0,0,0,15}, in the call to the AllocateAndInitializeSid function.
Additionally, you need the base RID and RID count for the built-in capabilities, SECURITY_CAPABILITY_BASE_RID
(0x00000003L) and SECURITY_BUILTIN_CAPABILITY_RID_COUNT (2L).
Requirements
REQ UIREM EN T VA L UE
Header
Winnt.h
Privilege Constants (Authorization)
4/30/2021 • 6 minutes to read • Edit Online
Privileges determine the type of system operations that a user account can perform. An administrator assigns
privileges to user and group accounts. Each user's privileges include those granted to the user and to the groups
to which the user belongs.
The functions that get and adjust the privileges in an access token use the locally unique identifier (LUID) type to
identify privileges. Use the LookupPrivilegeValue function to determine the LUID on the local system that
corresponds to a privilege constant. Use the LookupPrivilegeName function to convert a LUID to its
corresponding string constant.
The operating system represents a privilege by using the string that follows "User Right" in the Description
column of the following table. The operating system displays the user right strings in the Policy column of the
User Rights Assignment node of the Local Security Settings Microsoft Management Console (MMC) snap-in.
Example
BOOL EnablePrivilege()
{
LUID PrivilegeRequired ;
BOOL bRes = FALSE;
// ...
return bRes;
}
Constants
C O N STA N T / VA L UE DESC RIP T IO N
Required to impersonate.
SE_IMPERSONATE_NAME User Right: Impersonate a client after authentication.
TEXT("SeImpersonatePrivilege")
Remarks
Privilege constants are defined as strings in Winnt.h. For example, the SE_AUDIT_NAME constant is defined as
"SeAuditPrivilege".
Requirements
REQ UIREM EN T VA L UE
Header
Winnt.h
See also
Privileges
Authorization Data Types
3/5/2021 • 2 minutes to read • Edit Online
In this section
TO P IC DESC RIP T IO N
The ACCESS_MASK data type is a DWORD value that defines standard, specific, and generic rights. These
rights are used in access control entries (ACEs) and are the primary means of specifying the requested or
granted access to an object.
Remarks
The bits in this value are allocated as follows.
B IT S M EA N IN G
26 27 Reserved.
Standard rights bits, 16 to 23, contain the object's standard access rights and can be a combination of the
following predefined flags.
B IT FLAG M EA N IN G
The following constants defined in Winnt.h represent the specific and standard access rights.
Requirements
REQ UIREM EN T VA L UE
Header
Winnt.h (include Windows.h)
See also
Access Control
Basic Access Control Structures
Access Rights and Access Masks
GENERIC_MAPPING
SECURITY_DESCRIPTOR_CONTROL
3/5/2021 • 4 minutes to read • Edit Online
The SECURITY_DESCRIPTOR_CONTROL data type is a set of bit flags that qualify the meaning of a security
descriptor or its components. Each security descriptor has a Control member that stores the
SECURITY_DESCRIPTOR_CONTROL bits.
Remarks
To get the control bits of a security descriptor, call the GetSecurityDescriptorControl function. To set the
control bits of a security descriptor, use the functions for modifying security descriptors. For a list of these
functions, see the See Also section.
Applications can use the SetSecurityDescriptorControl function to set the control bits that relate to
automatic inheritance of ACEs.
The control value retrieved by the GetSecurityDescriptorControl function can include a combination of the
following SECURITY_DESCRIPTOR_CONTROL bit flags.
VA L UE M EA N IN G
SE_OWNER_DEFAULTED Indicates that the SID of the owner of the security descriptor
0x0001 was provided by a default mechanism. This flag can be used
by a resource manager to identify objects whose owner was
set by a default mechanism. To set this flag, use the
SetSecurityDescriptorOwner function.
Requirements
REQ UIREM EN T VA L UE
Header
Winnt.h (include Windows.h)
See also
Low-level Access Control
Basic Access Control Structures
Conver tToAutoInheritPrivateObjectSecurity
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetSecurityDescriptorSacl
SetSecurityDescriptorControl
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
SetSecurityDescriptorSacl
SECURITY_INFORMATION
3/5/2021 • 2 minutes to read • Edit Online
The SECURITY_INFORMATION data type identifies the object-related security information being set or
queried. This security information includes:
The owner of an object
The primary group of an object
The discretionary access control list (DACL) of an object
The system access control list (SACL) of an object
Remarks
Some SECURITY_INFORMATION members work only with the SetNamedSecurityInfo function. These
members are not returned in the structure returned by other security functions such as
GetNamedSecurityInfo or Conver tStringSecurityDescriptorToSecurityDescriptor .
Each item of security information is designated by a bit flag. Each bit flag can be one of the following values. For
more information, see the SetSecurityAccessMask and Quer ySecurityAccessMask functions.
BACKUP_SECURITY_INFORMATION All parts of the security descriptor. This is useful for backup
Right required to query: READ_CONTROL and and restore software that needs to preserve the entire
ACCESS_SYSTEM_SECURITY security descriptor.
Right required to set: WRITE_DAC and WRITE_OWNER Windows Ser ver 2008 R2, Windows 7, Windows
and ACCESS_SYSTEM_SECURITY Ser ver 2008, Windows Vista, Windows Ser ver 2003
and Windows XP: This bit flag is not available.
Requirements
REQ UIREM EN T VA L UE
Header
Winnt.h (include Windows.h)
See also
Access Control
Basic Access Control Structures
Conver tSecurityDescriptorToStringSecurityDescriptor
Conver tStringSecurityDescriptorToSecurityDescriptor
GetFileSecurity
GetKernelObjectSecurity
GetNamedSecurityInfo
GetPrivateObjectSecurity
GetSecurityInfo
GetUserObjectSecurity
Quer ySecurityAccessMask
SetFileSecurity
SetKernelObjectSecurity
SetNamedSecurityInfo
SetPrivateObjectSecurity
SetSecurityAccessMask
SetSecurityInfo
SetUserObjectSecurity
TreeResetNamedSecurityInfo
TreeSetNamedSecurityInfo
Authorization Enumerations
3/5/2021 • 2 minutes to read • Edit Online
In this section
TO P IC DESC RIP T IO N
ACL_INFORMATION_CL ASS Contains values that specify the type of information being
assigned to or retrieved from an access control list (ACL).
AUDIT_EVENT_TYPE Defines values that indicate the type of object being audited.
The AccessCheckByTypeAndAuditAlarm and
AccessCheckByTypeResultListAndAuditAlarm functions
use these values.
PROG_INVOKE_SETTING Indicates the initial setting of the function used to track the
progress of a call to the TreeSetNamedSecurityInfo or
TreeResetNamedSecurityInfo function.
TOKEN_INFORMATION_CL ASS Contains values that specify the type of information being
assigned to or retrieved from an access token.
In this section
TO P IC DESC RIP T IO N
AuditLookupCategor yGuidFromCategor yId Retrieves a GUID structure that represents the specified
audit-policy category.
AuditQuer yGlobalSacl retrieves a global system access control list (SACL) that
delegates access to the audit messages.
AuditQuer ySystemPolicy Retrieves system audit policy for one or more audit-policy
subcategories.
TO P IC DESC RIP T IO N
AuditSetGlobalSacl sets a global system access control list (SACL) that delegates
access to the audit messages.
AuthzEnumerateSecurityEventSources Retrieves the registered security event sources that are not
installed by default.
AuthzFreeCentralAccessPolicyCache Decreases the CAP cache reference count by one so that the
CAP cache can be deallocated.
AuthzFreeContext Frees all structures and memory associated with the client
context. The list of handles for a client is freed in this call.
AuthzInitializeCompoundContext creates a user-mode context from the given user and device
security contexts.
AuthzOpenObjectAudit Reads the system access control list (SACL) of the specified
security descriptor and generates any appropriate audits
specified by that SACL.
TO P IC DESC RIP T IO N
AuthzUninstallSecurityEventSource Removes the specified source from the list of valid security
event sources.
Conver tToAutoInheritPrivateObjectSecurity Converts a security descriptor and its access control lists
(ACLs) to a format that supports automatic propagation of
inheritable access control entries (ACEs).
CreateSecurityPage Creates a basic security property page that enables the user
to view and edit the access rights allowed or denied by the
access control entries (ACEs) in an object's discretionary
access control list (DACL).
EqualDomainSid Determines whether two SIDs are from the same domain.
EqualSid Tests two security identifier (SID) values for equality. Two
SIDs must match exactly to be considered equal.
GetAppContainerNamedObjectPath Retrieves the named object path for the app container.
LookupAccountSidLocal Retrieves the name of the account for the specified SID on
the local machine.
Quer ySer viceObjectSecurity Retrieves a copy of the security descriptor associated with a
service object.
SetUserObjectSecurity Sets the security of a user object. This can be, for example, a
window or a DDE conversation.
Syntax
BOOL CALLBACK AuthzAccessCheckCallback(
_In_ AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
_In_ PACE_HEADER pAce,
_In_opt_ PVOID pArgs,
_Inout_ PBOOL pbAceApplicable
);
Parameters
hAuthzClientContext [in]
A handle to a client context.
pAce [in]
A pointer to the ACE to evaluate for inclusion in the call to the AuthzAccessCheck function.
pArgs [in, optional]
Data passed in the DynamicGroupArgs parameter of the call to AuthzAccessCheck or
AuthzCachedAccessCheck .
pbAceApplicable [in, out]
A pointer to a Boolean variable that receives the results of the evaluation of the logic defined by the application.
The results are TRUE if the logic determines that the ACE is applicable and will be included in the call to
AuthzAccessCheck ; otherwise, the results are FALSE .
Return value
If the function succeeds, the function returns TRUE .
If the function is unable to perform the evaluation, it returns FALSE . Use SetLastError to return an error to the
access check function.
Remarks
Security attribute variables must be present in the client context if referred to in a conditional expression,
otherwise the conditional expression term referencing them will evaluate to unknown.
For more information, see the How AccessCheck Works and Centralized Authorization Policy overviews.
Requirements
REQ UIREM EN T VA L UE
See also
Basic Access Control Functions
Centralized Authorization Policy
How AccessCheck Works
AuthzAccessCheck
AuthzCachedAccessCheck
AuthzInitializeRemoteResourceManager
AuthzInitializeResourceManager
AuthzComputeGroupsCallback callback function
3/5/2021 • 2 minutes to read • Edit Online
Syntax
BOOL CALLBACK AuthzComputeGroupsCallback(
_In_ AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
_In_ PVOID Args,
_Out_ PSID_AND_ATTRIBUTES *pSidAttrArray,
_Out_ PDWORD pSidCount,
_Out_ PSID_AND_ATTRIBUTES *pRestrictedSidAttrArray,
_Out_ PDWORD pRestrictedSidCount
);
Parameters
hAuthzClientContext [in]
A handle to a client context.
Args [in]
Data passed in the DynamicGroupArgs parameter of a call to the AuthzInitializeContextFromAuthzContext ,
AuthzInitializeContextFromSid , or AuthzInitializeContextFromToken function.
pSidAttrArray [out]
A pointer to a pointer variable that receives the address of an array of SID_AND_ATTRIBUTES structures.
These structures represent the groups to which the client belongs.
pSidCount [out]
The number of structures in pSidAttrArray.
pRestrictedSidAttrArray [out]
A pointer to a pointer variable that receives the address of an array of SID_AND_ATTRIBUTES structures.
These structures represent the groups from which the client is restricted.
pRestrictedSidCount [out]
The number of structures in pSidRestrictedAttrArray.
Return value
If the function successfully returns a list of SIDs, the return value is TRUE .
If the function fails, the return value is FALSE .
Remarks
Applications can also add SIDs to the client context by calling AuthzAddSidsToContext .
Attribute variables must be in the form of an expression when used with logical operators; otherwise, they are
evaluated as unknown.
Requirements
REQ UIREM EN T VA L UE
See also
Basic Access Control Functions
AuthzAddSidsToContext
AuthzCachedAccessCheck
AuthzInitializeContextFromAuthzContext
AuthzInitializeContextFromSid
AuthzInitializeContextFromToken
AuthzInitializeResourceManager
SID_AND_ATTRIBUTES
AuthzFreeCentralAccessPolicyCallback callback
function
3/5/2021 • 2 minutes to read • Edit Online
Syntax
BOOL CALLBACK AuthzFreeCentralAccessPolicyCallback(
_In_ PVOID pCentralAccessPolicy
);
Parameters
pCentralAccessPolicy [in]
Pointer to the central access policy to be freed.
Return value
If the function succeeds, the function returns TRUE .
If the function is unable to perform the evaluation, it returns FALSE . Use SetLastError to return an error to the
access check function.
See also
AUTHZ_INIT_INFO
AuthzGetCentralAccessPolicyCallback
AuthzFreeGroupsCallback callback function
3/5/2021 • 2 minutes to read • Edit Online
The AuthzFreeGroupsCallback function is an application-defined function that frees memory allocated by the
AuthzComputeGroupsCallback function. AuthzFreeGroupsCallback is a placeholder for the application-
defined function name.
Syntax
void CALLBACK AuthzFreeGroupsCallback(
_In_ PSID_AND_ATTRIBUTES pSidAttrArray
);
Parameters
pSidAttrArray [in]
A pointer to memory allocated by AuthzComputeGroupsCallback .
Return value
This callback function does not return a value.
Remarks
Attribute variables must be in the form of an expression when used with logical operators; otherwise, they are
evaluated as unknown.
Requirements
REQ UIREM EN T VA L UE
See also
Basic Access Control Functions
AuthzComputeGroupsCallback
AuthzGetCentralAccessPolicyCallback callback
function
3/5/2021 • 2 minutes to read • Edit Online
Syntax
BOOL CALLBACK AuthzGetCentralAccessPolicyCallback (
_In_ AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
_In_ PSID capid,
_In_opt_ PVOID pArgs,
_Out_ PBOOL pCentralAccessPolicyApplicable,
_Out_ PVOID ppCentralAccessPolicy
);
Parameters
hAuthzClientContext [in]
Handle to the client context.
capid [in]
ID of the central access policy to retrieve.
pArgs [in, optional]
Optional arguments that were passed to the AuthzAccessCheck function through the OptionalArguments
member of the AUTHZ_ACCESS_REQUEST structure.
pCentralAccessPolicyApplicable [out]
Pointer to a Boolean value that the resource manager uses to indicate whether a central access policy should be
used during access evaluation.
ppCentralAccessPolicy [out]
Pointer to the central access policy (CAP) to be used for evaluating access. If this value is NULL , the default CAP
is applied.
Return value
If the function succeeds, the function returns TRUE .
If the function is unable to perform the evaluation, it returns FALSE . Use SetLastError to return an error to the
access check function.
Requirements
REQ UIREM EN T VA L UE
See also
AUTHZ_ACCESS_REQUEST
AUTHZ_INIT_INFO
AuthzAccessCheck
BuildImpersonateExplicitAccessWithName function
3/5/2021 • 2 minutes to read • Edit Online
The NtCompareTokens function compares two access tokens and determines whether they are equivalent
with respect to a call to the AccessCheck function.
Syntax
NTSTATUS NTAPI NtCompareTokens(
_In_ HANDLE FirstTokenHandle,
_In_ HANDLE SecondTokenHandle,
_Out_ PBOOLEAN Equal
);
Parameters
FirstTokenHandle [in]
A handle to the first access token to compare. The token must be open for TOKEN_QUERY access.
SecondTokenHandle [in]
A handle to the second access token to compare. The token must be open for TOKEN_QUERY access.
Equal [out]
A pointer to a variable that receives a value that indicates whether the tokens represented by the
FirstTokenHandle and SecondTokenHandle parameters are equivalent.
Return value
If the function succeeds, the function returns STATUS_SUCCESS.
If the function fails, it returns an NTSTATUS error code.
Remarks
Two access control tokens are considered to be equivalent if all of the following conditions are true:
Every security identifier (SID) that is present in either token is also present in the other token.
Neither or both of the tokens are restricted.
If both tokens are restricted, every SID that is restricted in one token is also restricted in the other token.
Every privilege present in either token is also present in the other token.
This function has no associated import library or header file; you must call it using the LoadLibrar y and
GetProcAddress functions.
Requirements
REQ UIREM EN T VA L UE
Header
Ntseapi.h
DLL
Ntdll.dll
Authorization Interfaces
3/5/2021 • 3 minutes to read • Edit Online
In this section
TO P IC DESC RIP T IO N
IAzObjectPicker Displays a dialog box that allows users to select one or more
principals from a list.
ISecurityInformation4 Enables the access control editor (ACE) to obtain the share's
security descriptor to initialize the share page.
In this section
AddDelegatedPolicyUser Method
AddDelegatedPolicyUserName Method
AddPolicyAdministrator Method
AddPolicyAdministratorName Method
AddPolicyReader Method
AddPolicyReaderName Method
AddProper tyItem Method
CreateApplicationGroup Method
CreateOperation Method
CreateRole Method
CreateScope Method
CreateTask Method
DeleteApplicationGroup Method
DeleteDelegatedPolicyUser Method
DeleteDelegatedPolicyUserName Method
DeleteOperation Method
DeletePolicyAdministrator Method
DeletePolicyAdministratorName Method
DeletePolicyReader Method
DeletePolicyReaderName Method
DeleteProper tyItem Method
DeleteRole Method
DeleteScope Method
DeleteTask Method
GetProper ty Method
InitializeClientContextFromName Method
InitializeClientContextFromStringSid Method
InitializeClientContextFromToken Method
OpenApplicationGroup Method
OpenOperation Method
OpenRole Method
OpenScope Method
OpenTask Method
SetProper ty Method
Submit Method
IAzApplication Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
ApplicationData Proper ty
ApplicationGroups Proper ty
ApplyStoreSacl Proper ty
AuthzInterfaceClsid Proper ty
DelegatedPolicyUsers Proper ty
DelegatedPolicyUsersName Proper ty
Description Proper ty
GenerateAudits Proper ty
Name Proper ty
Operations Proper ty
PolicyAdministrators Proper ty
PolicyAdministratorsName Proper ty
PolicyReaders Proper ty
PolicyReadersName Proper ty
Roles Proper ty
Scopes Proper ty
Tasks Proper ty
Version Proper ty
Writable Proper ty
IAzApplication2 Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
InitializeClientContext2 Method
InitializeClientContextFromToken2 Method
IAzApplication3 Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
CreateRoleAssignment Method
CreateRoleDefinition Method
CreateScope2 Method
DeleteRoleAssignment Method
DeleteRoleDefinition Method
DeleteScope2 Method
OpenRoleAssignment Method
OpenRoleDefinition Method
OpenScope2 Method
ScopeExists Method
IAzApplication3 Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
BizRulesEnabled Proper ty
RoleAssignments Proper ty
RoleDefinitions Proper ty
IAzApplications Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzApplicationGroup Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AddAppMember Method
AddAppNonMember Method
AddMember Method
AddMemberName Method
AddNonMember Method
AddNonMemberName Method
AddProper tyItem Method
DeleteAppMember Method
DeleteAppNonMember Method
DeleteMember Method
DeleteMemberName Method
DeleteNonMember Method
DeleteNonMemberName Method
DeleteProper tyItem Method
GetProper ty Method
SetProper ty Method
Submit Method
IAzApplicationGroup Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
AppMembers Proper ty
AppNonMembers Proper ty
Description Proper ty
LdapQuer y Proper ty
Members Proper ty
MembersName Proper ty
Name Proper ty
NonMembers Proper ty
NonMembersName Proper ty
Type Proper ty
Writable Proper ty
IAzApplicationGroup2 Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
BizRule Proper ty
BizRuleImpor tedPath Proper ty
BizRuleLanguage Proper ty
RoleAssignments Proper ty
IAzApplicationGroups Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzAuthorizationStore Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AddDelegatedPolicyUser Method
AddDelegatedPolicyUserName Method
AddPolicyAdministrator Method
AddPolicyAdministratorName Method
AddPolicyReader Method
AddPolicyReaderName Method
AddProper tyItem Method
CloseApplication Method
CreateApplication Method
CreateApplicationGroup Method
Delete Method
DeleteApplication Method
DeleteApplicationGroup Method
DeleteDelegatedPolicyUser Method
DeleteDelegatedPolicyUserName Method
DeletePolicyAdministrator Method
DeletePolicyAdministratorName Method
DeletePolicyReader Method
DeletePolicyReaderName Method
DeleteProper tyItem Method
GetProper ty Method
Initialize Method
OpenApplication Method
OpenApplicationGroup Method
SetProper ty Method
Submit Method
UpdateCache Method
IAzAuthorizationStore Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
ApplicationData Proper ty
ApplicationGroups Proper ty
Applications Proper ty
ApplyStoreSacl Proper ty
DelegatedPolicyUsers Proper ty
DelegatedPolicyUsersName Proper ty
Description Proper ty
DomainTimeout Proper ty
GenerateAudits Proper ty
MaxScriptEngines Proper ty
PolicyAdministrators Proper ty
PolicyAdministratorsName Proper ty
PolicyReaders Proper ty
PolicyReadersName Proper ty
ScriptEngineTimeout Proper ty
TargetMachine Proper ty
Writable Proper ty
IAzAuthorizationStore2 Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
CreateApplication2 Method
OpenApplication2 Method
IAzAuthorizationStore3 Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
BizruleGroupSuppor ted Method
GetSchemaVersion Method
IsFunctionalLevelUpgradeSuppor ted Method
IsUpdateNeeded Method
UpgradeStoresFunctionalLevel Method
IAzBizRuleContext Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
BusinessRuleResult Proper ty
BusinessRuleString Proper ty
GetParameter Method
IAzBizRuleInterfaces Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AddInterface Method
AddInterfaces Method
GetInterfaceValue Method
Remove Method
RemoveAll Method
IAzBizRuleInterfaces Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
Count Proper ty
IAzBizRuleParameters Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AddParameter Method
AddParameters Method
GetParameterValue Method
Remove Method
RemoveAll Method
IAzBizRuleParameters Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
Count Proper ty
IAzClientContext Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AccessCheck Method
GetBusinessRuleString Method
GetProper ty Method
GetRoles Method
IAzClientContext Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
RoleForAccessCheck Proper ty
UserCanonical Proper ty
UserDisplay Proper ty
UserDn Proper ty
UserDnsSamCompat Proper ty
UserGuid Proper ty
UserSamCompat Proper ty
UserUpn Proper ty
IAzClientContext2 Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AddApplicationGroups Method
AddRoles Method
AddStringSids Method
GetAssignedScopesPage Method
IAzClientContext2 Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
LDAPQuer yDN Proper ty
IAzClientContext3 Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AccessCheck2 Method
GetGroups Method
GetOperations Method
GetTasks Method
IsInRoleAssignment Method
IAzClientContext3 Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
BizRuleInterfaces Proper ty
BizRuleParameters Proper ty
Sids Proper ty
IAzNameResolver Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
NameFromSid Method
NamesFromSids Method
IAzObjectPicker Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
GetPrincipals Method
Name Proper ty
IAzOperation Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
GetProper ty Method
SetProper ty Method
Submit Method
IAzOperation Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
ApplicationData Proper ty
Description Proper ty
Name Proper ty
OperationID Proper ty
Writable Proper ty
IAzOperation2 Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
RoleAssignments Method
IAzOperations Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzPrincipalLocator Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
NameResolver Proper ty
ObjectPicker Proper ty
IAzRole Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AddAppMember Method
AddMember Method
AddMemberName Method
AddOperation Method
AddProper tyItem Method
AddTask Method
DeleteAppMember Method
DeleteMember Method
DeleteMemberName Method
DeleteOperation Method
DeleteProper tyItem Method
DeleteTask Method
GetProper ty Method
SetProper ty Method
Submit Method
IAzRole Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
ApplicationData Proper ty
AppMembers Proper ty
Description Proper ty
Members Proper ty
MembersName Proper ty
Name Proper ty
Operations Proper ty
Tasks Proper ty
Writable Proper ty
IAzRoleAssignment Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AddRoleDefinition Method
DeleteRoleDefinition Method
IAzRoleAssignment Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
RoleDefinitions Proper ty
Scope Proper ty
IAzRoleAssignments Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzRoleDefinition Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AddRoleDefinition Method
DeleteRoleDefinition Method
IAzRoleDefinition Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
RoleAssignments Proper ty
RoleDefinitions Proper ty
IAzRoleDefinitions Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzRoles Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzScope Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AddPolicyAdministrator Method
AddPolicyAdministratorName Method
AddPolicyReader Method
AddPolicyReaderName Method
AddProper tyItem Method
CreateApplicationGroup Method
CreateRole Method
CreateTask Method
DeleteApplicationGroup Method
DeletePolicyAdministrator Method
DeletePolicyAdministratorName Method
DeletePolicyReader Method
DeletePolicyReaderName Method
DeleteProper tyItem Method
DeleteRole Method
DeleteTask Method
GetProper ty Method
OpenApplicationGroup Method
OpenRole Method
OpenTask Method
SetProper ty Method
Submit Method
IAzScope Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
ApplicationData Proper ty
ApplicationGroups Proper ty
BizrulesWritable Proper ty
CanBeDelegated Proper ty
Description Proper ty
Name Proper ty
PolicyAdministrators Proper ty
PolicyAdministratorsName Proper ty
PolicyReaders Proper ty
PolicyReadersName Proper ty
Roles Proper ty
Tasks Proper ty
Writable Proper ty
IAzScope2 Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
CreateRoleAssignment Method
CreateRoleDefinition Method
DeleteRoleAssignment Method
DeleteRoleDefinition Method
OpenRoleAssignment Method
OpenRoleDefinition Method
IAzScope2 Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
RoleAssignments Proper ty
RoleDefinitions Proper ty
IAzScopes Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
Count Proper ty
Item Proper ty
NewEnum Proper ty
IAzTask Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
AddOperation Method
AddProper tyItem Method
AddTask Method
DeleteOperation Method
DeleteProper tyItem Method
DeleteTask Method
GetProper ty Method
SetProper ty Method
Submit Method
IAzTask Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
ApplicationData Proper ty
BizRule Proper ty
BizRuleImpor tedPath Proper ty
BizRuleLanguage Proper ty
Description Proper ty
IsRoleDefinition Proper ty
Name Proper ty
Operations Proper ty
Tasks Proper ty
Writable Proper ty
IAzTask2 Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
RoleAssignments Method
IAzTasks Properties
3/5/2021 • 2 minutes to read • Edit Online
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IeAxiService interface
3/5/2021 • 2 minutes to read • Edit Online
The IAxiSer vice interface initializes a system service object to install an ActiveX object when the current user
does not have permission to install the object.
The CIeAxiInstallerSer vice class implements this interface.
This interface is not declared in a public header. Applications must define it themselves. The following Interface
Definition Language (IDL) fragment describes this interface, including its IID.
[
object,
uuid(E9E92380-9ECD-4982-A0EB-6815A56CCF27),
pointer_default(unique)
]
HRESULT Initialize(
[in] HWND hwndParent,
[in] DWORD dwClientPID,
[in] BSTR bstrDesktop,
[in] BSTR bstrClsID,
[in] BSTR bstrURL,
[out] BSTR * pbstrNonce,
[out] IUnknown** ppISyncBrokerInterface
);
HRESULT Cleanup();
};
Members
The IeAxiSer vice interface inherits from the IUnknown interface. IeAxiSer vice also has these types of
members:
Methods
Methods
The IeAxiSer vice interface has these methods.
M ET H O D DESC RIP T IO N
Requirements
REQ UIREM EN T VA L UE
Minimum supported client Windows Vista Business, Windows Vista Enterprise, Windows
Vista Ultimate [desktop apps only]
In this section
Cleanup Method
Initialize Method
IeAxiService::Cleanup method
3/5/2021 • 2 minutes to read • Edit Online
The Cleanup method frees resources used by the IeAxiSer vice interface.
Syntax
HRESULT Cleanup();
Parameters
This method has no parameters.
Return value
If the method succeeds, the method returns S_OK.
If the method fails, it returns an HRESULT value that indicates the error. For a list of common error codes, see
Common HRESULT Values.
Requirements
REQ UIREM EN T VA L UE
Minimum supported client Windows Vista Business, Windows Vista Enterprise, Windows
Vista Ultimate [desktop apps only]
See also
IeAxiSer vice
IeAxiService::Initialize method
3/5/2021 • 2 minutes to read • Edit Online
The Initialize method checks and downloads an ActiveX object. If the object meets policy requirements, this
method initializes a system object that installs the ActiveX object.
Syntax
SECURITY_STATUS Initialize(
[in] HWND hwndParent,
[in] DWORD dwClientPID,
[in] BSTR bstrDesktop,
[in] BSTR bstrClsID,
[in] BSTR bstrURL,
[out] BSTR *pbstrNonce,
[out] IUnknown **ppISyncBrokerInterface
);
Parameters
hwndParent [in]
A handle to the parent window of the window that is attempting to install the ActiveX control.
dwClientPID [in]
The process ID of the calling process.
bstrDesktop [in]
The desktop for the object.
bstrClsID [in]
The class ID of the ActiveX object to install.
bstrURL [in]
The URL of the ActiveX object to install.
pbstrNonce [out]
A context that can be used to share state information in calls to other methods used to verify and download the
ActiveX object.
ppISyncBrokerInterface [out]
A pointer to the instance of the IeAxiSystemInstaller interface that installs the ActiveX control.
Return value
If the function succeeds, the return value is S_OK.
If the function fails, the return value can be one of the following error codes.
RET URN C O DE/ VA L UE DESC RIP T IO N
Requirements
REQ UIREM EN T VA L UE
Minimum supported client Windows Vista Business, Windows Vista Enterprise, Windows
Vista Ultimate [desktop apps only]
See also
IeAxiSer vice
IeAxiServiceCallback interface
3/5/2021 • 2 minutes to read • Edit Online
The IeAxiSer viceCallback interface is called by the IeAxiSystemInstaller interface to verify that an ActiveX
object can be installed.
The CIeAxiInstallerSer vice class implements this interface.
This interface is not declared in a public header. Applications must define it themselves. The following Interface
Definition Language (IDL) fragment describes this interface, including its IID.
[
object,
uuid(1823E7BA-EC36-447a-9B2E-B4912E15AFE7),
dual,
nonextensible,
pointer_default(unique)
]
Members
The IeAxiSer viceCallback interface inherits from the IUnknown interface. IeAxiSer viceCallback also has
these types of members:
Methods
Methods
The IeAxiSer viceCallback interface has these methods.
M ET H O D DESC RIP T IO N
Requirements
REQ UIREM EN T VA L UE
Minimum supported client Windows Vista Business, Windows Vista Enterprise, Windows
Vista Ultimate [desktop apps only]
In this section
VerifyFile Method
IeAxiServiceCallback::VerifyFile method
3/5/2021 • 2 minutes to read • Edit Online
The VerifyFile method performs security checks on the specified ActiveX object and returns the location where
the corresponding .cab file was downloaded.
Syntax
HRESULT VerifyFile(
[in] BSTR bstrFileUrl,
[out] BSTR *bstrApprovedFileName
);
Parameters
bstrFileUrl [in]
The URL of the ActiveX object to check.
bstrApprovedFileName [out]
The name of the file where the .cab file associated with the ActiveX object was downloaded.
Return value
If the method succeeds, the method returns S_OK.
If the method fails, it returns an HRESULT value that indicates the error. For a list of common error codes, see
Common HRESULT Values.
Requirements
REQ UIREM EN T VA L UE
Minimum supported client Windows Vista Business, Windows Vista Enterprise, Windows
Vista Ultimate [desktop apps only]
See also
IeAxiSer viceCallback
IeAxiSystemInstaller interface
3/5/2021 • 2 minutes to read • Edit Online
[
object,
uuid(a50ea6f8-4764-4299-b309-022b2a8b4d8d),
]
interface IeAxiSystemInstaller : IUnknown
{
Members
The IeAxiSystemInstaller interface inherits from the IUnknown interface. IeAxiSystemInstaller also has
these types of members:
Methods
Methods
The IeAxiSystemInstaller interface has these methods.
M ET H O D DESC RIP T IO N
Requirements
REQ UIREM EN T VA L UE
Minimum supported client Windows Vista Business, Windows Vista Enterprise, Windows
Vista Ultimate [desktop apps only]
In this section
InitializeSystemInstaller Method
IeAxiSystemInstaller::InitializeSystemInstaller
method
3/5/2021 • 2 minutes to read • Edit Online
Syntax
HRESULT InitializeSystemInstaller(
[in] BSTR bstrUrl,
[in] DWORD dwClientPID,
[in] IUnknown *pCallback,
[out] BSTR *pbstrNonce
);
Parameters
bstrUrl [in]
The URL of the ActiveX object to install.
dwClientPID [in]
The process ID of the calling process.
pCallback [in]
A pointer to an instance of the IeAxiSer viceCallback interface that verifies whether the ActiveX object is
allowed to be installed.
pbstrNonce [out]
A context that can be used to share state information in calls to other methods used to verify and download the
ActiveX object.
Return value
If the method succeeds, the method returns S_OK.
If the method fails, it returns an HRESULT value that indicates the error. For a list of common error codes, see
Common HRESULT Values.
Requirements
REQ UIREM EN T VA L UE
Minimum supported client Windows Vista Business, Windows Vista Enterprise, Windows
Vista Ultimate [desktop apps only]
See also
IeAxiSystemInstaller
IEffectivePermission Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
GetEffectivePermission Method
ISecurityInformation Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
GetAccessRights Method
GetInheritTypes Method
GetObjectInformation Method
GetSecurity Method
MapGeneric Method
Proper tySheetPageCallback Method
SetSecurity Method
ISecurityInformation2 Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
IsDaclCanonical Method
LookupSids Method
ISecurityInformation3 Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
GetFullResourceName Method
OpenElevatedEditor Method
ISecurityObjectTypeInfo Methods
3/5/2021 • 2 minutes to read • Edit Online
In this section
GetInheritSource Method
Authorization Objects
3/5/2021 • 2 minutes to read • Edit Online
In this section
TO P IC DESC RIP T IO N
The CIeAxiInstallerSer vice object implements the IAxiSer vice and IeAxiSer viceCallback interfaces.
This object is not declared in a public header. Applications must define it themselves. The following Interface
Definition Language (IDL) fragment describes this object, including its CLSID.
[
uuid(90F18417-F0F1-484E-9D3C-59DCEEE5DBD8)
]
coclass CIeAxiInstallerService
{
[default] interface IeAxiService;
interface IeAxiServiceCallback;
}
Requirements
REQ UIREM EN T VA L UE
Minimum supported client Windows Vista Business, Windows Vista Enterprise, Windows
Vista Ultimate [desktop apps only]
See also
IAxiSer vice
IeAxiSer viceCallback
Authorization Structures
3/5/2021 • 6 minutes to read • Edit Online
In this section
TO P IC DESC RIP T IO N
ACE_HEADER Defines the type and size of an access control entry (ACE).
AUDIT_POLICY_INFORMATION Specifies a security event type and when to audit that type.
TO P IC DESC RIP T IO N
SYSTEM_AUDIT_ACE Defines an access control entry (ACE) for the system access
control list (SACL) that specifies what types of access cause
system-level notifications.
SYSTEM_MANDATORY_L ABEL_ACE Defines an access control entry (ACE) for the system access
control list (SACL) that specifies the mandatory access level
and policy for a securable object.
SYSTEM_RESOURCE_ATTRIBUTE_ACE Defines an access control entry (ACE) for the system access
control list (SACL) that specifies the system resource
attributes for a securable object.
SYSTEM_SCOPED_POLICY_ID_ACE Defines an access control entry (ACE) for the system access
control list (SACL) that specifies the scoped policy identifier
for a securable object.
TOKEN_OWNER Contains the default owner security identifier (SID) that will
be applied to newly created objects.
NOTE
Each ACE starts with an ACE_HEADER structure. The format of the data following the header varies according to the
ACE type specified in the header.
Requirements
REQ UIREM EN T VA L UE
Header
Winnt.h (include Windows.h)
See also
AddAce
ACCESS_ALLOWED_ACE
ACCESS_DENIED_ACE
ACL
SYSTEM_AL ARM_ACE
SYSTEM_AUDIT_ACE
Microsoft.Interop.Security.AzRoles Assembly
3/5/2021 • 2 minutes to read • Edit Online
The following Authorization interoperability wrapper methods and objects are documented under the COM
version of the method or object. A link to the correlating COM documentation follows each member name.
Members
The Microsoft.Interop.Security.AzRoles.IAzApplication interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplication interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddDelegatedPolicyUser
dDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddDelegatedPolicyUserName
dDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddPolicyAdministrator
dPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddPolicyAdministratorName
dPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddPolicyReader
dPolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddPolicyReaderName
dPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication.Cre IAzApplication::CreateApplicationGroup
ateApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication.Cre IAzApplication::CreateOperation
ateOperation
Microsoft.Interop.Security.Azroles.IAzApplication.Cre IAzApplication::CreateRole
ateRole
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplication.Cre IAzApplication::CreateScope
ateScope
Microsoft.Interop.Security.Azroles.IAzApplication.Cre IAzApplication::CreateTask
ateTask
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteApplicationGroup
eteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteDelegatedPolicyUser
eteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteDelegatedPolicyUserName
eteDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteOperation
eteOperation
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeletePolicyAdministrator
etePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeletePolicyAdministratorName
etePolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeletePolicyReader
etePolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeletePolicyReaderName
etePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteRole
eteRole
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteScope
eteScope
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteTask
eteTask
Microsoft.Interop.Security.Azroles.IAzApplication.Get IAzApplication::GetProper ty
Proper ty
Microsoft.Interop.Security.Azroles.IAzApplication.Init IAzApplication::InitializeClientContextFromName
ializeClientContextFromName
Microsoft.Interop.Security.Azroles.IAzApplication.Init IAzApplication::InitializeClientContextFromStringSid
ializeClientContextFromStringSid
Microsoft.Interop.Security.Azroles.IAzApplication.Init IAzApplication::InitializeClientContextFromToken
ializeClientContextFromToken
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplication.Op IAzApplication::OpenApplicationGroup
enApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication.Op IAzApplication::OpenOperation
enOperation
Microsoft.Interop.Security.Azroles.IAzApplication.Op IAzApplication::OpenRole
enRole
Microsoft.Interop.Security.Azroles.IAzApplication.Op IAzApplication::OpenScope
enScope
Microsoft.Interop.Security.Azroles.IAzApplication.Op IAzApplication::OpenTask
enTask
Microsoft.Interop.Security.Azroles.IAzApplication.Set IAzApplication::SetProper ty
Proper ty
Microsoft.Interop.Security.Azroles.IAzApplication.Sub IAzApplication::Submit
mit
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplication interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzApplication2
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzApplication2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplication2 interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddDelegatedPolicyUser
ddDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddDelegatedPolicyUserName
ddDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddPolicyAdministrator
ddPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddPolicyAdministratorName
ddPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddPolicyReader
ddPolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddPolicyReaderName
ddPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication2.Cr IAzApplication::CreateApplicationGroup
eateApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication2.Cr IAzApplication::CreateOperation
eateOperation
Microsoft.Interop.Security.Azroles.IAzApplication2.Cr IAzApplication::CreateRole
eateRole
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplication2.Cr IAzApplication::CreateScope
eateScope
Microsoft.Interop.Security.Azroles.IAzApplication2.Cr IAzApplication::CreateTask
eateTask
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteApplicationGroup
eleteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteDelegatedPolicyUser
eleteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteDelegatedPolicyUserName
eleteDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteOperation
eleteOperation
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeletePolicyAdministrator
eletePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeletePolicyAdministratorName
eletePolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeletePolicyReader
eletePolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeletePolicyReaderName
eletePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteRole
eleteRole
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteScope
eleteScope
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteTask
eleteTask
Microsoft.Interop.Security.Azroles.IAzApplication2.G IAzApplication::GetProper ty
etProper ty
Microsoft.Interop.Security.Azroles.IAzApplication2.In IAzApplication2::InitializeClientContext2
itializeClientContext2
Microsoft.Interop.Security.Azroles.IAzApplication2.In IAzApplication::InitializeClientContextFromName
itializeClientContextFromName
Microsoft.Interop.Security.Azroles.IAzApplication2.In IAzApplication::InitializeClientContextFromStringSid
itializeClientContextFromStringSid
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplication2.In IAzApplication::InitializeClientContextFromToken
itializeClientContextFromToken
Microsoft.Interop.Security.Azroles.IAzApplication2.In IAzApplication2::InitializeClientContextFromToken2
itializeClientContextFromToken2
Microsoft.Interop.Security.Azroles.IAzApplication2.O IAzApplication::OpenApplicationGroup
penApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication2.O IAzApplication::OpenOperation
penOperation
Microsoft.Interop.Security.Azroles.IAzApplication2.O IAzApplication::OpenRole
penRole
Microsoft.Interop.Security.Azroles.IAzApplication2.O IAzApplication::OpenScope
penScope
Microsoft.Interop.Security.Azroles.IAzApplication2.O IAzApplication::OpenTask
penTask
Microsoft.Interop.Security.Azroles.IAzApplication2.Se IAzApplication::SetProper ty
tProper ty
Microsoft.Interop.Security.Azroles.IAzApplication2.Su IAzApplication::Submit
bmit
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplication2 interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzApplication3
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzApplication3 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplication3 interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddDelegatedPolicyUser
ddDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddDelegatedPolicyUserName
ddDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddPolicyAdministrator
ddPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddPolicyAdministratorName
ddPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddPolicyReader
ddPolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddPolicyReaderName
ddPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication::CreateApplicationGroup
eateApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication::CreateOperation
eateOperation
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication::CreateRole
eateRole
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication3::CreateRoleAssignment
eateRoleAssignment
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication3::CreateRoleDefinition
eateRoleDefinition
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication::CreateScope
eateScope
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication3::CreateScope2
eateScope2
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication::CreateTask
eateTask
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteApplicationGroup
eleteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteDelegatedPolicyUser
eleteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteDelegatedPolicyUserName
eleteDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteOperation
eleteOperation
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeletePolicyAdministrator
eletePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeletePolicyAdministratorName
eletePolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeletePolicyReader
eletePolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeletePolicyReaderName
eletePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteRole
eleteRole
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication3::DeleteRoleAssignment
eleteRoleAssignment
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication3::DeleteRoleDefinition
eleteRoleDefinition
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteScope
eleteScope
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication3::DeleteScope2
eleteScope2
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteTask
eleteTask
Microsoft.Interop.Security.Azroles.IAzApplication3.G IAzApplication::GetProper ty
etProper ty
Microsoft.Interop.Security.Azroles.IAzApplication3.In IAzApplication2::InitializeClientContext2
itializeClientContext2
Microsoft.Interop.Security.Azroles.IAzApplication3.In IAzApplication::InitializeClientContextFromName
itializeClientContextFromName
Microsoft.Interop.Security.Azroles.IAzApplication3.In IAzApplication::InitializeClientContextFromStringSid
itializeClientContextFromStringSid
Microsoft.Interop.Security.Azroles.IAzApplication3.In IAzApplication::InitializeClientContextFromToken
itializeClientContextFromToken
Microsoft.Interop.Security.Azroles.IAzApplication3.In IAzApplication2::InitializeClientContextFromToken2
itializeClientContextFromToken2
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication::OpenApplicationGroup
penApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication::OpenOperation
penOperation
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication::OpenRole
penRole
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication3::OpenRoleAssignment
penRoleAssignment
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication3::OpenRoleDefinition
penRoleDefinition
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication::OpenScope
penScope
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication3::OpenScope2
penScope2
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication::OpenTask
penTask
Microsoft.Interop.Security.Azroles.IAzApplication3.Sc IAzApplication3::ScopeExists
opeExists
Microsoft.Interop.Security.Azroles.IAzApplication3.Se IAzApplication::SetProper ty
tProper ty
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplication3.Su IAzApplication::Submit
bmit
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplication3 interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzApplicationGroup
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddAppMember
up.AddAppMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddAppNonMember
up.AddAppNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddMember
up.AddMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddMemberName
up.AddMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddNonMember
up.AddNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddNonMemberName
up.AddNonMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteAppMember
up.DeleteAppMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteAppNonMember
up.DeleteAppNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteMember
up.DeleteMember
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteMemberName
up.DeleteMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteNonMember
up.DeleteNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteNonMemberName
up.DeleteNonMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::GetProper ty
up.GetProper ty
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::SetProper ty
up.SetProper ty
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::Submit
up.Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzApplicationGroup2
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup2 interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddAppMember
up2.AddAppMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddAppNonMember
up2.AddAppNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddMember
up2.AddMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddMemberName
up2.AddMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddNonMember
up2.AddNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddNonMemberName
up2.AddNonMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteAppMember
up2.DeleteAppMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteAppNonMember
up2.DeleteAppNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteMember
up2.DeleteMember
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteMemberName
up2.DeleteMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteNonMember
up2.DeleteNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteNonMemberName
up2.DeleteNonMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::GetProper ty
up2.GetProper ty
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup2::RoleAssignments
up2.RoleAssignments
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::SetProper ty
up2.SetProper ty
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::Submit
up2.Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup2 interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzApplicationGroups
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroups interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroups interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroups::_NewEnum
ups.GetEnumerator
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroups interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzApplications
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzApplications interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplications interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzApplications.Ge IAzApplications::_NewEnum
tEnumerator
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplications interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddDelegatedPolicyUser
ore.AddDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddDelegatedPolicyUserNam
ore.AddDelegatedPolicyUserName e
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddPolicyAdministrator
ore.AddPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddPolicyAdministratorName
ore.AddPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddPolicyReader
ore.AddPolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddPolicyReaderName
ore.AddPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::CloseApplication
ore.CloseApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::CreateApplication
ore.CreateApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::CreateApplicationGroup
ore.CreateApplicationGroup
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::Delete
ore.Delete
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeleteApplication
ore.DeleteApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeleteApplicationGroup
ore.DeleteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeleteDelegatedPolicyUser
ore.DeleteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeleteDelegatedPolicyUserNa
ore.DeleteDelegatedPolicyUserName me
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeletePolicyAdministrator
ore.DeletePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeletePolicyAdministratorNa
ore.DeletePolicyAdministratorName me
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeletePolicyReader
ore.DeletePolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeletePolicyReaderName
ore.DeletePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::GetProper ty
ore.GetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::Initialize
ore.Initialize
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::OpenApplication
ore.OpenApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::OpenApplicationGroup
ore.OpenApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::SetProper ty
ore.SetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::Submit
ore.Submit
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::UpdateCache
ore.UpdateCache
Properties
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore interface has these properties.
P RO P ERT Y A C C ESS T Y P E DESC RIP T IO N
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2 interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddDelegatedPolicyUser
ore2.AddDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddDelegatedPolicyUserName
ore2.AddDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyAdministrator
ore2.AddPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyAdministratorName
ore2.AddPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyReader
ore2.AddPolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyReaderName
ore2.AddPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CloseApplication
ore2.CloseApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CreateApplication
ore2.CreateApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore2::CreateApplication2
ore2.CreateApplication2
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CreateApplicationGroup
ore2.CreateApplicationGroup
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Delete
ore2.Delete
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteApplication
ore2.DeleteApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteApplicationGroup
ore2.DeleteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteDelegatedPolicyUser
ore2.DeleteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteDelegatedPolicyUserNa
ore2.DeleteDelegatedPolicyUserName me
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyAdministrator
ore2.DeletePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyAdministratorNam
ore2.DeletePolicyAdministratorName e
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyReader
ore2.DeletePolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyReaderName
ore2.DeletePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::GetProper ty
ore2.GetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Initialize
ore2.Initialize
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::OpenApplication
ore2.OpenApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore2::OpenApplication2
ore2.OpenApplication2
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::OpenApplicationGroup
ore2.OpenApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::SetProper ty
ore2.SetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Submit
ore2.Submit
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::UpdateCache
ore2.UpdateCache
Properties
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2 interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore3
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore3 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore3 interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddDelegatedPolicyUser
ore3.AddDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddDelegatedPolicyUserName
ore3.AddDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyAdministrator
ore3.AddPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyAdministratorName
ore3.AddPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyReader
ore3.AddPolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyReaderName
ore3.AddPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CloseApplication
ore3.CloseApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CreateApplication
ore3.CreateApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore2::CreateApplication2
ore3.CreateApplication2
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CreateApplicationGroup
ore3.CreateApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Delete
ore3.Delete
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteApplication
ore3.DeleteApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteApplicationGroup
ore3.DeleteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteDelegatedPolicyUser
ore3.DeleteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteDelegatedPolicyUserNa
ore3.DeleteDelegatedPolicyUserName me
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyAdministrator
ore3.DeletePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyAdministratorNam
ore3.DeletePolicyAdministratorName e
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyReader
ore3.DeletePolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyReaderName
ore3.DeletePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::GetProper ty
ore3.GetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore3::GetSchemaVersion
ore3.GetSchemaVersion
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Initialize
ore3.Initialize
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore3::IsFunctionalLevelUpgradeSu
ore3.IsFunctionalLevelUpgradeSuppor ted ppor ted
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore3::IsUpdateNeeded
ore3.IsUpdateNeeded
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::OpenApplication
ore3.OpenApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore2::OpenApplication2
ore3.OpenApplication2
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::OpenApplicationGroup
ore3.OpenApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::SetProper ty
ore3.SetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Submit
ore3.Submit
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::UpdateCache
ore3.UpdateCache
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore3::UpgradeStoresFunctionalLev
ore3.UpgradeStoresFunctionalLevel el
Properties
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore3 interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzBizRuleContext
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzBizRuleContext interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzBizRuleContext interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzBizRuleContext. IAzBizRuleContext::GetParameter
GetParameter
Properties
The Microsoft.Interop.Security.AzRoles.IAzBizRuleContext interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzBizRuleInterfaces
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzBizRuleInterfaces interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzBizRuleInterfaces interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzBizRuleInterfac IAzBizRuleInterfaces::AddInterface
es.AddInterface
Microsoft.Interop.Security.Azroles.IAzBizRuleInterfac IAzBizRuleInterfaces::AddInterfaces
es.AddInterfaces
Microsoft.Interop.Security.Azroles.IAzBizRuleInterfac IAzBizRuleInterfaces::GetInterfaceValue
es.GetInterfaceValue
Microsoft.Interop.Security.Azroles.IAzBizRuleInterfac IAzBizRuleInterfaces::Remove
es.Remove
Microsoft.Interop.Security.Azroles.IAzBizRuleInterfac IAzBizRuleInterfaces::RemoveAll
es.RemoveAll
Properties
The Microsoft.Interop.Security.AzRoles.IAzBizRuleInterfaces interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzBizRuleParameters
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzBizRuleParameters interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzBizRuleParameters interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzBizRuleParamet IAzBizRuleParameters::AddParameter
ers.AddParameter
Microsoft.Interop.Security.Azroles.IAzBizRuleParamet IAzBizRuleParameters::AddParameters
ers.AddParameters
Microsoft.Interop.Security.Azroles.IAzBizRuleParamet IAzBizRuleParameters::GetParameterValue
ers.GetParameterValue
Microsoft.Interop.Security.Azroles.IAzBizRuleParamet IAzBizRuleParameters::Remove
ers.Remove
Microsoft.Interop.Security.Azroles.IAzBizRuleParamet IAzBizRuleParameters::RemoveAll
ers.RemoveAll
Properties
The Microsoft.Interop.Security.AzRoles.IAzBizRuleParameters interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzClientContext
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzClientContext interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzClientContext interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzClientContext. IAzClientContext::AccessCheck
AccessCheck
Microsoft.Interop.Security.Azroles.IAzClientContext. IAzClientContext::GetBusinessRuleString
GetBusinessRuleString
Microsoft.Interop.Security.Azroles.IAzClientContext. IAzClientContext::GetProper ty
GetProper ty
Microsoft.Interop.Security.Azroles.IAzClientContext. IAzClientContext::GetRoles
GetRoles
Properties
The Microsoft.Interop.Security.AzRoles.IAzClientContext interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzClientContext2
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzClientContext2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzClientContext2 interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext::AccessCheck
AccessCheck
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext2::AddApplicationGroups
AddApplicationGroups
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext2::AddRoles
AddRoles
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext2::AddStringSids
AddStringSids
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext2::GetAssignedScopesPage
GetAssignedScopesPage
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext::GetBusinessRuleString
GetBusinessRuleString
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext::GetProper ty
GetProper ty
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext::GetRoles
GetRoles
Properties
The Microsoft.Interop.Security.AzRoles.IAzClientContext2 interface has these properties.
P RO P ERT Y A C C ESS T Y P E DESC RIP T IO N
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzClientContext3
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzClientContext3 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzClientContext3 interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext::AccessCheck
AccessCheck
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext3::AccessCheck2
AccessCheck2
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext2::AddApplicationGroups
AddApplicationGroups
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext2::AddRoles
AddRoles
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext2::AddStringSids
AddStringSids
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext2::GetAssignedScopesPage
GetAssignedScopesPage
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext::GetBusinessRuleString
GetBusinessRuleString
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext3::GetGroups
GetGroups
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext3::GetOperations
GetOperations
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext::GetProper ty
GetProper ty
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext::GetRoles
GetRoles
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext3::GetTasks
GetTasks
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext3::IsInRoleAssignment
IsInRoleAssignment
Properties
The Microsoft.Interop.Security.AzRoles.IAzClientContext3 interface has these properties.
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzNameResolver
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzNameResolver interface has these types of members:
Methods
Methods
The Microsoft.Interop.Security.AzRoles.IAzNameResolver interface has these methods.
M ET H O D DESC RIP T IO N
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzObjectPicker
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzObjectPicker interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzObjectPicker interface has these methods.
M ET H O D DESC RIP T IO N
Properties
The Microsoft.Interop.Security.AzRoles.IAzObjectPicker interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzOperation
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzOperation interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzOperation interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzOperation.GetP IAzOperation::GetProper ty
roper ty
Microsoft.Interop.Security.Azroles.IAzOperation.SetP IAzOperation::SetProper ty
roper ty
Microsoft.Interop.Security.Azroles.IAzOperation.Sub IAzOperation::Submit
mit
Properties
The Microsoft.Interop.Security.AzRoles.IAzOperation interface has these properties.
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzOperation2
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzOperation2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzOperation2 interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzOperation2.Get IAzOperation::GetProper ty
Proper ty
Microsoft.Interop.Security.Azroles.IAzOperation2.Rol IAzOperation2::RoleAssignments
eAssignments
Microsoft.Interop.Security.Azroles.IAzOperation2.Set IAzOperation::SetProper ty
Proper ty
Microsoft.Interop.Security.Azroles.IAzOperation2.Su IAzOperation::Submit
bmit
Properties
The Microsoft.Interop.Security.AzRoles.IAzOperation2 interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzOperations
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzOperations interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzOperations interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzOperations.Get IAzOperations::_NewEnum
Enumerator
Properties
The Microsoft.Interop.Security.AzRoles.IAzOperations interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzPrincipalLocator
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzPrincipalLocator interface has these types of members:
Methods
Methods
The Microsoft.Interop.Security.AzRoles.IAzPrincipalLocator interface has these methods.
M ET H O D DESC RIP T IO N
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzRole interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzRole interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRole interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzRole.AddAppM IAzRole::AddAppMember
ember
Microsoft.Interop.Security.Azroles.IAzRole.AddMemb IAzRole::AddMember
er
Microsoft.Interop.Security.Azroles.IAzRole.AddMemb IAzRole::AddMemberName
erName
Microsoft.Interop.Security.Azroles.IAzRole.AddOpera IAzRole::AddOperation
tion
Microsoft.Interop.Security.Azroles.IAzRole.AddTask IAzRole::AddTask
Microsoft.Interop.Security.Azroles.IAzRole.DeleteApp IAzRole::DeleteAppMember
Member
Microsoft.Interop.Security.Azroles.IAzRole.DeleteMe IAzRole::DeleteMember
mber
Microsoft.Interop.Security.Azroles.IAzRole.DeleteMe IAzRole::DeleteMemberName
mberName
Microsoft.Interop.Security.Azroles.IAzRole.DeleteOpe IAzRole::DeleteOperation
ration
Microsoft.Interop.Security.Azroles.IAzRole.DeleteTask IAzRole::DeleteTask
Microsoft.Interop.Security.Azroles.IAzRole.GetProper IAzRole::GetProper ty
ty
Microsoft.Interop.Security.Azroles.IAzRole.SetProper t IAzRole::SetProper ty
y
Microsoft.Interop.Security.Azroles.IAzRole.Submit IAzRole::Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzRole interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzRoleAssignment
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignment interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignment interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::AddAppMember
t.AddAppMember
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::AddMember
t.AddMember
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::AddMemberName
t.AddMemberName
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::AddOperation
t.AddOperation
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRoleAssignment::AddRoleDefinition
t.AddRoleDefinition
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::AddTask
t.AddTask
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::DeleteAppMember
t.DeleteAppMember
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::DeleteMember
t.DeleteMember
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::DeleteMemberName
t.DeleteMemberName
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::DeleteOperation
t.DeleteOperation
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRoleAssignment::DeleteRoleDefinition
t.DeleteRoleDefinition
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::DeleteTask
t.DeleteTask
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::GetProper ty
t.GetProper ty
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::SetProper ty
t.SetProper ty
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::Submit
t.Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignment interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzRoleAssignments
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignments interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignments interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRoleAssignments::_NewEnum
ts.GetEnumerator
Properties
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignments interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzRoleDefinition
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinition interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinition interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::AddAppMember
AddAppMember
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::AddMember
AddMember
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::AddMemberName
AddMemberName
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::AddOperation
AddOperation
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRoleDefinition::AddRoleDefinition
AddRoleDefinition
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::AddTask
AddTask
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::DeleteAppMember
DeleteAppMember
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::DeleteMember
DeleteMember
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::DeleteMemberName
DeleteMemberName
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::DeleteOperation
DeleteOperation
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRoleDefinition::DeleteRoleDefinition
DeleteRoleDefinition
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::DeleteTask
DeleteTask
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::GetProper ty
GetProper ty
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRoleDefinition::RoleAssignments
RoleAssignments
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::SetProper ty
SetProper ty
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::Submit
Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinition interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzRoleDefinitions
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinitions interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinitions interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzRoleDefinitions. IAzRoleDefinitions::_NewEnum
GetEnumerator
Properties
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinitions interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzRoles
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzRoles interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRoles interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzRoles.GetEnum IAzRoles::_NewEnum
erator
Properties
The Microsoft.Interop.Security.AzRoles.IAzRoles interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzScope
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzScope interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzScope interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzScope.AddPolic IAzScope::AddPolicyAdministrator
yAdministrator
Microsoft.Interop.Security.Azroles.IAzScope.AddPolic IAzScope::AddPolicyAdministratorName
yAdministratorName
Microsoft.Interop.Security.Azroles.IAzScope.AddPolic IAzScope::AddPolicyReader
yReader
Microsoft.Interop.Security.Azroles.IAzScope.AddPolic IAzScope::AddPolicyReaderName
yReaderName
Microsoft.Interop.Security.Azroles.IAzScope.CreateA IAzScope::CreateApplicationGroup
pplicationGroup
Microsoft.Interop.Security.Azroles.IAzScope.CreateRo IAzScope::CreateRole
le
Microsoft.Interop.Security.Azroles.IAzScope.CreateTa IAzScope::CreateTask
sk
Microsoft.Interop.Security.Azroles.IAzScope.DeleteAp IAzScope::DeleteApplicationGroup
plicationGroup
Microsoft.Interop.Security.Azroles.IAzScope.DeletePo IAzScope::DeletePolicyAdministrator
licyAdministrator
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzScope.DeletePo IAzScope::DeletePolicyAdministratorName
licyAdministratorName
Microsoft.Interop.Security.Azroles.IAzScope.DeletePo IAzScope::DeletePolicyReader
licyReader
Microsoft.Interop.Security.Azroles.IAzScope.DeletePo IAzScope::DeletePolicyReaderName
licyReaderName
Microsoft.Interop.Security.Azroles.IAzScope.DeleteRo IAzScope::DeleteRole
le
Microsoft.Interop.Security.Azroles.IAzScope.DeleteTa IAzScope::DeleteTask
sk
Microsoft.Interop.Security.Azroles.IAzScope.GetProp IAzScope::GetProper ty
er ty
Microsoft.Interop.Security.Azroles.IAzScope.OpenAp IAzScope::OpenApplicationGroup
plicationGroup
Microsoft.Interop.Security.Azroles.IAzScope.OpenRol IAzScope::OpenRole
e
Microsoft.Interop.Security.Azroles.IAzScope.OpenTas IAzScope::OpenTask
k
Microsoft.Interop.Security.Azroles.IAzScope.SetPrope IAzScope::SetProper ty
r ty
Microsoft.Interop.Security.Azroles.IAzScope.Submit IAzScope::Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzScope interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzScope2
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzScope2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzScope2 interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzScope2.AddPoli IAzScope::AddPolicyAdministrator
cyAdministrator
Microsoft.Interop.Security.Azroles.IAzScope2.AddPoli IAzScope::AddPolicyAdministratorName
cyAdministratorName
Microsoft.Interop.Security.Azroles.IAzScope2.AddPoli IAzScope::AddPolicyReader
cyReader
Microsoft.Interop.Security.Azroles.IAzScope2.AddPoli IAzScope::AddPolicyReaderName
cyReaderName
Microsoft.Interop.Security.Azroles.IAzScope2.Create IAzScope::CreateApplicationGroup
ApplicationGroup
Microsoft.Interop.Security.Azroles.IAzScope2.CreateR IAzScope::CreateRole
ole
Microsoft.Interop.Security.Azroles.IAzScope2.CreateR IAzScope2::CreateRoleAssignment
oleAssignment
Microsoft.Interop.Security.Azroles.IAzScope2.CreateR IAzScope2::CreateRoleDefinition
oleDefinition
Microsoft.Interop.Security.Azroles.IAzScope2.CreateT IAzScope::CreateTask
ask
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteA IAzScope::DeleteApplicationGroup
pplicationGroup
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteP IAzScope::DeletePolicyAdministrator
olicyAdministrator
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteP IAzScope::DeletePolicyAdministratorName
olicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteP IAzScope::DeletePolicyReader
olicyReader
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteP IAzScope::DeletePolicyReaderName
olicyReaderName
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteR IAzScope::DeleteRole
ole
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteR IAzScope2::DeleteRoleAssignment
oleAssignment
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteR IAzScope2::DeleteRoleDefinition
oleDefinition
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteT IAzScope::DeleteTask
ask
Microsoft.Interop.Security.Azroles.IAzScope2.GetPro IAzScope::GetProper ty
per ty
Microsoft.Interop.Security.Azroles.IAzScope2.OpenA IAzScope::OpenApplicationGroup
pplicationGroup
Microsoft.Interop.Security.Azroles.IAzScope2.OpenRo IAzScope::OpenRole
le
Microsoft.Interop.Security.Azroles.IAzScope2.OpenRo IAzScope2::OpenRoleAssignment
leAssignment
Microsoft.Interop.Security.Azroles.IAzScope2.OpenRo IAzScope2::OpenRoleDefinition
leDefinition
Microsoft.Interop.Security.Azroles.IAzScope2.OpenTa IAzScope::OpenTask
sk
Microsoft.Interop.Security.Azroles.IAzScope2.SetProp IAzScope::SetProper ty
er ty
Microsoft.Interop.Security.Azroles.IAzScope2.Submit IAzScope::Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzScope2 interface has these properties.
Requirements
REQ UIREM EN T VA L UE
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzScopes
interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzScopes interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzScopes interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzScopes.GetEnu IAzScopes::_NewEnum
merator
Properties
The Microsoft.Interop.Security.AzRoles.IAzScopes interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzTask interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzTask interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzTask interface has these methods.
M ET H O D DESC RIP T IO N
Properties
The Microsoft.Interop.Security.AzRoles.IAzTask interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzTask2 interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzTask2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzTask2 interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzTask2.RoleAssig IAzTask2::RoleAssignments
nments
Properties
The Microsoft.Interop.Security.AzRoles.IAzTask2 interface has these properties.
P RO P ERT Y A C C ESS T Y P E DESC RIP T IO N
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll
Microsoft.Interop.Security.AzRoles.IAzTasks interface
3/22/2021 • 2 minutes to read • Edit Online
Members
The Microsoft.Interop.Security.AzRoles.IAzTasks interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzTasks interface has these methods.
M ET H O D DESC RIP T IO N
Microsoft.Interop.Security.Azroles.IAzTasks.GetEnum IAzTasks::_NewEnum
erator
Properties
The Microsoft.Interop.Security.AzRoles.IAzTasks interface has these properties.
Requirements
REQ UIREM EN T VA L UE
Assembly
Microsoft.Interop.Security.Azroles.dll