Kiến trúc Windows

Contents
Authorization
About Authorization
Access Control
C2-level Security
Access Control Model
Parts of the Access Control Model
Access Tokens
Security Descriptors
Access Control Lists
Access Control Entries
Access Rights and Access Masks
Centralized Authorization Policy
Security Identifiers
How AccessCheck Works
Interaction Between Threads and Securable Objects
DACLs and ACEs
Null DACLs and Empty DACLs
Allowing Anonymous Access
Security Descriptor Definition Language
Security Descriptor String Format
Security Descriptor Definition Language for Conditional ACEs.
ACE Strings
SID Strings
Privileges
Audit Generation
Securable Objects
Low-level Access Control
Low-level Security Descriptor Functions
Low-level Security Descriptor Creation
Absolute and Self-Relative Security Descriptors
Low-level ACL and ACE Functions
Access Control Editor
Basic Security Property Page
Advanced Security Property Sheet
Permissions Property Page
Auditing Property Page
Owner Property Page
Client/Server Access Control
The Client Security Context
Client Impersonation
Impersonation Levels
Impersonation Tokens
Client Logon Sessions
Processes in the Client Security Context
Client Access to Network Resources
ACL-based Access Control
Security Descriptors for Private Objects
Checking Access to Private Objects
Auditing Access To Private Objects
Access Control for Application Resources
Role-based Access Control
Advantages of Role-based Authorization
Authorization Manager Model
Policy Stores, Applications, and Scopes
Users and Groups
Operations and Tasks
Roles
Business Rules
Collections
AppContainer for Legacy Applications
AppContainer Isolation
Implementing an AppContainer
Mandatory Integrity Control
User Account Control
Developing Applications that Require Administrator Privilege
Administrator Broker Model
Operating System Service Model
Elevated Task Model
Administrator COM Object Model
Using Authorization in C++
Defining Permissions in C++
Verifying Client Access to a Requested Resource in C++
Delegating the Defining of Permissions in C++
Supporting Tasks for Authorization in C++
Creating an Authorization Policy Store in C++
Creating an Authorization Policy Store Object in C++
Creating an Application Object in C++
Defining Operations in C++
Grouping Operations into Tasks in C++
Grouping Tasks into Roles in C++
Defining Groups of Users in C++
Adding Users to an Application Group in C++
Establishing a Client Context with Authorization Manager in C++
Qualifying Access with Business Logic in C++
Defining Permissions with ACLs in C++
Modifying the ACLs of an Object in C++
Creating a Security Descriptor for a New Object in C++
Controlling Child Object Creation in C++
Enabling and Disabling Privileges in C++
Establishing a Client Context from a SID in C++
Searching for a SID in an Access Token in C++
Converting a Binary SID to String Format in C++
Verifying Client Access with ACLs in C++
Finding the Owner of a File Object in C++
Taking Object Ownership in C++
Using Authorization in Script
Defining Permissions in Script
Verifying Client Access to a Requested Resource in Script
Delegating the Defining of Permissions in Script
Supporting Tasks for Authorization in Script
Creating an Authorization Policy Store in Script
Creating an Authorization Policy Store Object in Script
Creating an Application Object in Script
Defining Operations in Script
Grouping Operations into Tasks in Script
Grouping Tasks into Roles in Script
Defining Groups of Users in Script
Adding Users to an Application Group in Script
Establishing a Client Context in Script
Qualifying Access with Business Logic in Script
Using Authz API
Initializing a Client Context
Querying a Client Context
Adding SIDs to a Client Context
Checking Access with Authz API
Caching Access Checks
Authorization Reference
Authorization Constants
Account Rights Constants
App Container SID Constants
Auditing Constants
Capability SID Constants
Privilege Constants
Authorization Data Types
ACCESS_MASK
SECURITY_DESCRIPTOR_CONTROL
SECURITY_INFORMATION
Authorization Enumerations
ACCESS_MODE
ACL_INFORMATION_CLASS
AUDIT_EVENT_TYPE
AUDIT_PARAM_TYPE
AUTHZ_CONTEXT_INFORMATION_CLASS
AUTHZ_SECURITY_ATTRIBUTE_OPERATION
AUTHZ_SID_OPERATION
AZ_PROP_CONSTANTS
MANDATORY_LEVEL
MULTIPLE_TRUSTEE_OPERATION
PROG_INVOKE_SETTING
SE_OBJECT_TYPE
SECURITY_IMPERSONATION_LEVEL
SI_PAGE_TYPE
SID_NAME_USE
TOKEN_ELEVATION_TYPE
TOKEN_INFORMATION_CLASS
TOKEN_TYPE
TRUSTEE_FORM
TRUSTEE_TYPE
WELL_KNOWN_SID_TYPE
Authorization Functions
AccessCheck
AccessCheckAndAuditAlarm
AccessCheckByType
AccessCheckByTypeAndAuditAlarm
AccessCheckByTypeResultList
DeriveCapabilitySidsFromName
AccessCheckByTypeResultListAndAuditAlarm
AccessCheckByTypeResultListAndAuditAlarmByHandle
AddAccessAllowedAce
AddAccessAllowedAceEx
AddAccessAllowedObjectAce
AddAccessDeniedAce
AddAccessDeniedAceEx
AddAccessDeniedObjectAce
AddAce
AddAuditAccessAce
AddAuditAccessAceEx
AddAuditAccessObjectAce
AddConditionalAce
AddMandatoryAce
AddResourceAttributeAce
AddScopedPolicyIDAce
AdjustTokenGroups
AdjustTokenPrivileges
AllocateAndInitializeSid
AllocateLocallyUniqueId
AreAllAccessesGranted
AreAnyAccessesGranted
AuditComputeEffectivePolicyBySid
AuditComputeEffectivePolicyByToken
AuditEnumerateCategories
AuditEnumeratePerUserPolicy
AuditEnumerateSubCategories
AuditFree
AuditLookupCategoryGuidFromCategoryId
AuditLookupCategoryIdFromCategoryGuid
AuditLookupCategoryName
AuditLookupSubCategoryName
AuditQueryGlobalSacl
AuditQueryPerUserPolicy
AuditQuerySecurity
AuditQuerySystemPolicy
AuditSetGlobalSacl
AuditSetPerUserPolicy
AuditSetSecurity
AuditSetSystemPolicy
AuthzAccessCheck
AuthzAccessCheckCallback
AuthzAddSidsToContext
AuthzCachedAccessCheck
AuthzComputeGroupsCallback
AuthzEnumerateSecurityEventSources
AuthzFreeAuditEvent
AuthzFreeCentralAccessPolicyCache
AuthzFreeCentralAccessPolicyCallback
AuthzFreeContext
AuthzFreeGroupsCallback
AuthzFreeHandle
AuthzFreeResourceManager
AuthzGetCentralAccessPolicyCallback
AuthzGetInformationFromContext
AuthzInitializeCompoundContext
AuthzInitializeContextFromAuthzContext
AuthzInitializeContextFromSid
AuthzInitializeContextFromToken
AuthzInitializeObjectAccessAuditEvent
AuthzInitializeObjectAccessAuditEvent2
AuthzInitializeRemoteResourceManager
AuthzInitializeResourceManager
AuthzInitializeResourceManagerEx
AuthzInstallSecurityEventSource
AuthzModifyClaims
AuthzModifySecurityAttributes
AuthzModifySids
AuthzOpenObjectAudit
AuthzRegisterCapChangeNotification
AuthzRegisterSecurityEventSource
AuthzReportSecurityEvent
AuthzReportSecurityEventFromParams
AuthzSetAppContainerInformation
AuthzUninstallSecurityEventSource
AuthzUnregisterCapChangeNotification
AuthzUnregisterSecurityEventSource
BuildExplicitAccessWithName
BuildImpersonateExplicitAccessWithName
BuildImpersonateTrustee
BuildSecurityDescriptor
BuildTrusteeWithName
BuildTrusteeWithObjectsAndName
BuildTrusteeWithObjectsAndSid
BuildTrusteeWithSid
CheckTokenCapability
CheckTokenMembership
CheckTokenMembershipEx
ConvertSecurityDescriptorToStringSecurityDescriptor
ConvertSidToStringSid
ConvertStringSecurityDescriptorToSecurityDescriptor
ConvertStringSidToSid
ConvertToAutoInheritPrivateObjectSecurity
CopySid
CreatePrivateObjectSecurity
CreatePrivateObjectSecurityEx
CreatePrivateObjectSecurityWithMultipleInheritance
CreateRestrictedToken
CreateSecurityPage
CreateWellKnownSid
DeleteAce
DestroyPrivateObjectSecurity
DSCreateSecurityPage
DSCreateISecurityInfoObject
DSCreateISecurityInfoObjectEx
DSEditSecurity
DuplicateToken
DuplicateTokenEx
EditSecurity
EditSecurityAdvanced
EqualDomainSid
EqualPrefixSid
EqualSid
FindFirstFreeAce
FreeInheritedFromArray
FreeSid
GetAce
GetAclInformation
GetAppContainerNamedObjectPath
GetAuditedPermissionsFromAcl
GetCurrentProcessToken
GetCurrentThreadEffectiveToken
GetCurrentThreadToken
GetEffectiveRightsFromAcl
GetExplicitEntriesFromAcl
GetFileSecurity
GetInheritanceSource
GetKernelObjectSecurity
GetLengthSid
GetMultipleTrustee
GetMultipleTrusteeOperation
GetNamedSecurityInfo
GetPrivateObjectSecurity
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorLength
GetSecurityDescriptorOwner
GetSecurityDescriptorRMControl
GetSecurityDescriptorSacl
GetSecurityInfo
GetSidIdentifierAuthority
GetSidLengthRequired
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
GetTrusteeForm
GetTrusteeName
GetTrusteeType
GetUserObjectSecurity
GetWindowsAccountDomainSid
ImpersonateAnonymousToken
ImpersonateLoggedOnUser
ImpersonateNamedPipeClient
ImpersonateSelf
InitializeAcl
InitializeSecurityDescriptor
InitializeSid
IsTokenRestricted
IsValidAcl
IsValidSecurityDescriptor
IsValidSid
IsWellKnownSid
LookupAccountName
LookupAccountSid
LookupAccountSidLocal
LookupPrivilegeDisplayName
LookupPrivilegeName
LookupPrivilegeValue
LookupSecurityDescriptorParts
MakeAbsoluteSD
MakeSelfRelativeSD
MapGenericMask
NtCompareTokens
ObjectCloseAuditAlarm
ObjectDeleteAuditAlarm
ObjectOpenAuditAlarm
ObjectPrivilegeAuditAlarm
OpenProcessToken
OpenThreadToken
PrivilegeCheck
PrivilegedServiceAuditAlarm
QuerySecurityAccessMask
QueryServiceObjectSecurity
RegGetKeySecurity
RegSetKeySecurity
RevertToSelf
RtlConvertSidToUnicodeString
SetAclInformation
SetEntriesInAcl
SetFileSecurity
SetKernelObjectSecurity
SetNamedSecurityInfo
SetPrivateObjectSecurity
SetPrivateObjectSecurityEx
SetSecurityAccessMask
SetSecurityDescriptorControl
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
SetSecurityDescriptorRMControl
SetSecurityDescriptorSacl
SetSecurityInfo
SetServiceObjectSecurity
SetThreadToken
SetTokenInformation
SetUserObjectSecurity
TreeResetNamedSecurityInfo
TreeSetNamedSecurityInfo
Authorization Interfaces
IAzApplication
IAzApplication Methods
AddDelegatedPolicyUser Method
AddDelegatedPolicyUserName Method
AddPolicyAdministrator Method
AddPolicyAdministratorName Method
AddPolicyReader Method
AddPolicyReaderName Method
AddPropertyItem Method
CreateApplicationGroup Method
CreateOperation Method
CreateRole Method
CreateScope Method
CreateTask Method
DeleteApplicationGroup Method
DeleteDelegatedPolicyUser Method
DeleteDelegatedPolicyUserName Method
DeleteOperation Method
DeletePolicyAdministrator Method
DeletePolicyAdministratorName Method
DeletePolicyReader Method
DeletePolicyReaderName Method
DeletePropertyItem Method
DeleteRole Method
DeleteScope Method
DeleteTask Method
GetProperty Method
InitializeClientContextFromName Method
InitializeClientContextFromStringSid Method
InitializeClientContextFromToken Method
OpenApplicationGroup Method
OpenOperation Method
OpenRole Method
OpenScope Method
OpenTask Method
SetProperty Method
Submit Method
IAzApplication Properties
ApplicationData Property
ApplicationGroups Property
ApplyStoreSacl Property
AuthzInterfaceClsid Property
DelegatedPolicyUsers Property
DelegatedPolicyUsersName Property
Description Property
GenerateAudits Property
Name Property
Operations Property
PolicyAdministrators Property
PolicyAdministratorsName Property
PolicyReaders Property
PolicyReadersName Property
Roles Property
Scopes Property
Tasks Property
Version Property
Writable Property
IAzApplication2
IAzApplication2 Methods
InitializeClientContext2 Method
InitializeClientContextFromToken2 Method
IAzApplication3
CreateRoleAssignment Method
CreateRoleDefinition Method
CreateScope2 Method
DeleteRoleAssignment Method
DeleteRoleDefinition Method
DeleteScope2 Method
OpenRoleAssignment Method
OpenRoleDefinition Method
OpenScope2 Method
ScopeExists Method
IAzApplication3 Properties
BizRulesEnabled Property
RoleAssignments Property
RoleDefinitions Property
IAzApplications
IAzApplications Properties
Count Property
Item Property
_NewEnum Property
IAzApplicationGroup
IAzApplicationGroup Methods
AddAppMember Method
AddAppNonMember Method
AddMember Method
AddMemberName Method
AddNonMember Method
AddNonMemberName Method
DeleteAppMember Method
DeleteAppNonMember Method
DeleteMember Method
DeleteMemberName Method
DeleteNonMember Method
DeleteNonMemberName Method
GetProperty Method
SetProperty Method
Submit Method
IAzApplicationGroup Properties
AppMembers Property
AppNonMembers Property
LdapQuery Property
Members Property
MembersName Property
Name Property
NonMembers Property
NonMembersName Property
Type Property
Writable Property
IAzApplicationGroup2
IAzApplicationGroup2 Properties
BizRule Property
BizRuleImportedPath Property
BizRuleLanguage Property
IAzApplicationGroups
IAzApplicationGroups Properties
Count Property
Item Property
_NewEnum Property
IAzAuthorizationStore
IAzAuthorizationStore Methods
CloseApplication Method
CreateApplication Method
Delete Method
DeleteApplication Method
GetProperty Method
Initialize Method
OpenApplication Method
SetProperty Method
Submit Method
UpdateCache Method
IAzAuthorizationStore Properties
Applications Property
ApplyStoreSacl Property
DelegatedPolicyUsers Property
DelegatedPolicyUsersName Property
DomainTimeout Property
GenerateAudits Property
MaxScriptEngines Property
ScriptEngineTimeout Property
TargetMachine Property
Writable Property
IAzAuthorizationStore2
IAzAuthorizationStore2 Methods
CreateApplication2 Method
OpenApplication2 Method
BizruleGroupSupported Method
GetSchemaVersion Method
IsFunctionalLevelUpgradeSupported Method
IsUpdateNeeded Method
UpgradeStoresFunctionalLevel Method
IAzBizRuleContext
IAzBizRuleContext Properties
BusinessRuleResult Property
BusinessRuleString Property
GetParameter Method
IAzBizRuleInterfaces
IAzBizRuleInterfaces Methods
AddInterface Method
AddInterfaces Method
GetInterfaceValue Method
Remove Method
RemoveAll Method
IAzBizRuleInterfaces Properties
Count Property
IAzBizRuleParameters
IAzBizRuleParameters Methods
AddParameter Method
AddParameters Method
GetParameterValue Method
Remove Method
RemoveAll Method
IAzBizRuleParameters Properties
Count Property
IAzClientContext
IAzClientContext Methods
AccessCheck Method
GetBusinessRuleString Method
GetProperty Method
GetRoles Method
IAzClientContext Properties
RoleForAccessCheck Property
UserCanonical Property
UserDisplay Property
UserDn Property
UserDnsSamCompat Property
UserGuid Property
UserSamCompat Property
UserUpn Property
IAzClientContext2
IAzClientContext2 Methods
AddApplicationGroups Method
AddRoles Method
AddStringSids Method
GetAssignedScopesPage Method
IAzClientContext2 Properties
LDAPQueryDN Property
IAzClientContext3
AccessCheck2 Method
GetGroups Method
GetOperations Method
GetTasks Method
IsInRoleAssignment Method
BizRuleInterfaces Property
BizRuleParameters Property
Sids Property
IAzNameResolver
IAzNameResolver Methods
NameFromSid Method
NamesFromSids Method
IAzObjectPicker
IAzObjectPicker Methods
GetPrincipals Method
Name Property
IAzOperation
IAzOperation Methods
GetProperty Method
SetProperty Method
Submit Method
IAzOperation Properties
Name Property
OperationID Property
Writable Property
IAzOperation2
IAzOperation2 Methods
RoleAssignments Method
IAzOperations
IAzOperations Properties
Count Property
Item Property
_NewEnum Property
IAzPrincipalLocator
IAzPrincipalLocator Properties
NameResolver Property
ObjectPicker Property
IAzRole
IAzRole Methods
AddAppMember Method
AddMember Method
AddOperation Method
AddTask Method
DeleteMember Method
DeleteTask Method
GetProperty Method
SetProperty Method
Submit Method
IAzRole Properties
AppMembers Property
Members Property
MembersName Property
Name Property
Operations Property
Tasks Property
Writable Property
IAzRoleAssignment
IAzRoleAssignment Methods
AddRoleDefinition Method
IAzRoleAssignment Properties
Scope Property
IAzRoleAssignments
IAzRoleAssignments Properties
Count Property
Item Property
_NewEnum Property
IAzRoleDefinition
IAzRoleDefinition Methods
IAzRoleDefinition Properties
IAzRoleDefinitions
IAzRoleDefinitions Properties
Count Property
Item Property
_NewEnum Property
IAzRoles
IAzRoles Properties
Count Property
Item Property
_NewEnum Property
IAzScope
IAzScope Methods
CreateRole Method
CreateTask Method
DeleteRole Method
DeleteTask Method
GetProperty Method
OpenRole Method
OpenTask Method
SetProperty Method
Submit Method
IAzScope Properties
BizrulesWritable Property
CanBeDelegated Property
Name Property
Roles Property
Tasks Property
Writable Property
IAzScope2
IAzScope2 Methods
IAzScope2 Properties
IAzScopes
IAzScopes Properties
Count Property
Item Property
NewEnum Property
IAzTask
IAzTask Methods
AddOperation Method
AddTask Method
DeleteTask Method
GetProperty Method
SetProperty Method
Submit Method
IAzTask Properties
BizRule Property
BizRuleImportedPath Property
BizRuleLanguage Property
IsRoleDefinition Property
Name Property
Operations Property
Tasks Property
Writable Property
IAzTask2
IAzTask2 Methods
IAzTasks
IAzTasks Properties
Count Property
Item Property
_NewEnum Property
IeAxiService
IeAxiService Methods
Cleanup Method
Initialize Method
IeAxiServiceCallback
IeAxiServiceCallback Methods
VerifyFile Method
IeAxiSystemInstaller
IeAxiSystemInstaller Methods
InitializeSystemInstaller Method
IEffectivePermission
IEffectivePermission Methods
GetEffectivePermission Method
IEffectivePermission2
ComputeEffectivePermissionWithSecondarySecurity Method
ISecurityInformation
ISecurityInformation Methods
GetAccessRights Method
GetInheritTypes Method
GetObjectInformation Method
GetSecurity Method
MapGeneric Method
PropertySheetPageCallback Method
SetSecurity Method
ISecurityInformation2
ISecurityInformation2 Methods
IsDaclCanonical Method
LookupSids Method
GetFullResourceName Method
OpenElevatedEditor Method
GetSecondarySecurity Method
ISecurityObjectTypeInfo
ISecurityObjectTypeInfo Methods
GetInheritSource Method
Authorization Objects
CIeAxiInstallerService
Authorization Structures
ACCESS_ALLOWED_ACE
ACCESS_ALLOWED_CALLBACK_ACE
ACCESS_ALLOWED_CALLBACK_OBJECT_ACE
ACCESS_ALLOWED_OBJECT_ACE
ACCESS_DENIED_ACE
ACCESS_DENIED_CALLBACK_ACE
ACCESS_DENIED_CALLBACK_OBJECT_ACE
ACCESS_DENIED_OBJECT_ACE
ACE
ACE_HEADER
ACL
ACL_REVISION_INFORMATION
ACL_SIZE_INFORMATION
AUDIT_POLICY_INFORMATION
AUTHZ_ACCESS_REPLY
AUTHZ_ACCESS_REQUEST
AUTHZ_INIT_INFO
AUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET
AUTHZ_RPC_INIT_INFO_CLIENT
AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE
AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
AUTHZ_SECURITY_ATTRIBUTE_V1
AUTHZ_SECURITY_ATTRIBUTES_INFORMATION
AUTHZ_SOURCE_SCHEMA_REGISTRATION
CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE
CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1
CLAIM_SECURITY_ATTRIBUTE_V1
CLAIM_SECURITY_ATTRIBUTES_INFORMATION
EFFPERM_RESULT_LIST
EXPLICIT_ACCESS
GENERIC_MAPPING
INHERITED_FROM
LUID
LUID_AND_ATTRIBUTES
OBJECT_TYPE_LIST
OBJECTS_AND_NAME
OBJECTS_AND_SID
POLICY_AUDIT_SID_ARRAY
PRIVILEGE_SET
SECURITY_ATTRIBUTES
SECURITY_CAPABILITIES
SECURITY_DESCRIPTOR
SECURITY_OBJECT
SECURITY_QUALITY_OF_SERVICE
SI_ACCESS
SI_INHERIT_TYPE
SI_OBJECT_INFO
SID
SID_AND_ATTRIBUTES
SID_AND_ATTRIBUTES_HASH
SID_IDENTIFIER_AUTHORITY
SID_INFO
SID_INFO_LIST
SYSTEM_ALARM_ACE
SYSTEM_ALARM_CALLBACK_ACE
SYSTEM_ALARM_CALLBACK_OBJECT_ACE
SYSTEM_ALARM_OBJECT_ACE
SYSTEM_AUDIT_ACE
SYSTEM_AUDIT_CALLBACK_ACE
SYSTEM_AUDIT_CALLBACK_OBJECT_ACE
SYSTEM_AUDIT_OBJECT_ACE
SYSTEM_MANDATORY_LABEL_ACE
SYSTEM_RESOURCE_ATTRIBUTE_ACE
SYSTEM_SCOPED_POLICY_ID_ACE
TOKEN_ACCESS_INFORMATION
TOKEN_APPCONTAINER_INFORMATION
TOKEN_AUDIT_POLICY
TOKEN_CONTROL
TOKEN_DEFAULT_DACL
TOKEN_DEVICE_CLAIMS
TOKEN_ELEVATION
TOKEN_GROUPS
TOKEN_GROUPS_AND_PRIVILEGES
TOKEN_LINKED_TOKEN
TOKEN_MANDATORY_LABEL
TOKEN_MANDATORY_POLICY
TOKEN_ORIGIN
TOKEN_OWNER
TOKEN_PRIMARY_GROUP
TOKEN_PRIVILEGES
TOKEN_SOURCE
TOKEN_STATISTICS
TOKEN_USER
TOKEN_USER_CLAIMS
TRUSTEE
Microsoft.Interop.Security.AzRoles Assembly
Microsoft.Interop.Security.AzRoles.IAzApplication
Microsoft.Interop.Security.AzRoles.IAzApplication2
Microsoft.Interop.Security.AzRoles.IAzApplicationGroup
Microsoft.Interop.Security.AzRoles.IAzApplicationGroup2
Microsoft.Interop.Security.AzRoles.IAzApplicationGroups
Microsoft.Interop.Security.AzRoles.IAzApplications
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2
Microsoft.Interop.Security.AzRoles.IAzBizRuleContext
Microsoft.Interop.Security.AzRoles.IAzBizRuleInterfaces
Microsoft.Interop.Security.AzRoles.IAzBizRuleParameters
Microsoft.Interop.Security.AzRoles.IAzClientContext
Microsoft.Interop.Security.AzRoles.IAzClientContext2
Microsoft.Interop.Security.AzRoles.IAzNameResolver
Microsoft.Interop.Security.AzRoles.IAzObjectPicker
Microsoft.Interop.Security.AzRoles.IAzOperation
Microsoft.Interop.Security.AzRoles.IAzOperation2
Microsoft.Interop.Security.AzRoles.IAzOperations
Microsoft.Interop.Security.AzRoles.IAzPrincipalLocator
Microsoft.Interop.Security.AzRoles.IAzRole
Microsoft.Interop.Security.AzRoles.IAzRoleAssignment
Microsoft.Interop.Security.AzRoles.IAzRoleAssignments
Microsoft.Interop.Security.AzRoles.IAzRoleDefinition
Microsoft.Interop.Security.AzRoles.IAzRoleDefinitions
Microsoft.Interop.Security.AzRoles.IAzRoles
Microsoft.Interop.Security.AzRoles.IAzScope
Microsoft.Interop.Security.AzRoles.IAzScope2
Microsoft.Interop.Security.AzRoles.IAzScopes
Microsoft.Interop.Security.AzRoles.IAzTask
Microsoft.Interop.Security.AzRoles.IAzTask2
Microsoft.Interop.Security.AzRoles.IAzTasks
Authorization
3/5/2021 • 2 minutes to read • Edit Online
Purpose
Authorization is the right granted an individual to use the system and the data stored on it. Authorization is
typically set up by a system administrator and verified by the computer based on some form of user
identification, such as a code number or password.
Microsoft authorization technologies include Authorization Manager and the Authz API.
Developer audience
Microsoft authorization technologies are intended for use by developers of applications based on the Windows
Server and Windows operating systems that control access to resources. Developers should be familiar with
Windows-based programming. Although not required, an understanding of authorization or security-related
subjects is advised.
Run-time requirements
For information about run-time requirements for a particular programming element, see the Requirements
section of the reference page for that element.
In this section
TO P IC DESC RIP T IO N
About Authorization Key authorization concepts and a high-level view of

Microsoft authorization technologies.
Using Authorization Authorization processes, procedures, and examples of

programs using Microsoft authorization technologies. This
information is presented in using sections for C++ and
Script programming languages.
Authorization Reference Detailed information about authorization functions,

interfaces, structures, and other programming elements.
About Authorization
The following sections provide information about authorization.
SEC T IO N DESC RIP T IO N
Access Control Security features that control who can access resources in
the operating system. Applications call access control
functions to set who can access specific resources or control
access to resources provided by the application.
Access Control Editor Create and use property sheets and property pages that
enable the user to view and modify the components of an
object's security descriptor.
Client/Server Access Control Server applications that provide services to clients.
Access Control for Application Resources Role-based and ACL-based access control for application
resources.
Mandatory Integrity Control System-level access control for securable objects.
User Account Control Security feature that enables users to perform common
tasks as nonadministrators, called standard users, and as
administrators without having to switch users, log off, or use
Run As .
Access Control (Authorization)
Access control refers to security features that control who can access resources in the operating system.
Applications call access control functions to set who can access specific resources or control access to resources
provided by the application.
This overview describes the security model for controlling access to Windows objects, such as files, and for
controlling access to administrative functions, such as setting the system time or auditing user actions. The
Access Control Model topic provides a high-level description of the parts of access control and how they interact
with each other.
The following topics describe access control:
C2-level Security
Privileges
Audit Generation
Securable Objects
The following are common access control tasks:
How DACLs Control Access to an Object
ACEs to Control Access to an Object's Properties
Requesting Access Rights to an Object
The following topics provide example code for access control tasks:
Creating a Security Descriptor for a New Object in C++
Creating a DACL
C2-level Security
The following list includes some of the most important requirements of C2-level security, as defined by the U.S.
Department of Defense:
It must be possible to control access to a resource by granting or denying access to individual users or
named groups of users.
Memory must be protected so that its contents cannot be read after a process frees it. Similarly, a secure file
system, such as NTFS, must protect deleted files from being read.
Users must identify themselves in a unique manner, such as by password, when they log on. All auditable
actions must identify the user performing the action.
System administrators must be able to audit security-related events. However, access to the security-related
events audit data must be limited to authorized administrators.
The system must be protected from external interference or tampering, such as modification of the running
system or of system files stored on disk.
The access control model enables you to control the ability of a process to access securable objects or to
perform various system administration tasks.
The following topics provide a high-level description of the parts of the access control model and how they
interact with each other.
DACLs and ACEs
Null DACLs and Empty DACLs
There are two basic parts of the access control model:

Access tokens, which contain information about a logged-on user
Security descriptors, which contain the security information that protects a securable object
When a user logs on, the system authenticates the user's account name and password. If the logon is successful,
the system creates an access token. Every process executed on behalf of this user will have a copy of this access
token. The access token contains security identifiers that identify the user's account and any group accounts to
which the user belongs. The token also contains a list of the privileges held by the user or the user's groups. The
system uses this token to identify the associated user when a process tries to access a securable object or
perform a system administration task that requires privileges.
When a securable object is created, the system assigns it a security descriptor that contains security information
specified by its creator, or default security information if none is specified. Applications can use functions to
retrieve and set the security information for an existing object.
A security descriptor identifies the object's owner and can also contain the following access control lists:
A discretionary access control list (DACL) that identifies the users and groups allowed or denied access to the
object
A system access control list (SACL) that controls how the system audits attempts to access the object
An ACL contains a list of access control entries (ACEs). Each ACE specifies a set of access rights and contains a
SID that identifies a trustee for whom the rights are allowed, denied, or audited. A trustee can be a user account,
group account, or logon session.
Use functions to manipulate the contents of security descriptors, SIDs, and ACLs rather than accessing them
directly. This helps ensure that these structures remain syntactically accurate and prevents future enhancements
to the security system from breaking existing code.
The following topics provide information about parts of the access control model:
Access Tokens
Access Tokens
An access token is an object that describes the security context of a process or thread. The information in a token
includes the identity and privileges of the user account associated with the process or thread. When a user logs
on, the system verifies the user's password by comparing it with information stored in a security database. If the
password is authenticated, the system produces an access token. Every process executed on behalf of this user
has a copy of this access token.
The system uses an access token to identify the user when a thread interacts with a securable object or tries to
perform a system task that requires privileges. Access tokens contain the following information:
The security identifier (SID) for the user's account
SIDs for the groups of which the user is a member
A logon SID that identifies the current logon session
A list of the privileges held by either the user or the user's groups
An owner SID
The SID for the primary group
The default DACL that the system uses when the user creates a securable object without specifying a security
descriptor
The source of the access token
Whether the token is a primary or impersonation token
An optional list of restricting SIDs
Current impersonation levels
Other statistics
Every process has a primary token that describes the security context of the user account associated with the
process. By default, the system uses the primary token when a thread of the process interacts with a securable
object. Moreover, a thread can impersonate a client account. Impersonation allows the thread to interact with
securable objects using the client's security context. A thread that is impersonating a client has both a primary
token and an impersonation token.
Use the OpenProcessToken function to retrieve a handle to the primary token of a process. Use the
OpenThreadToken function to retrieve a handle to the impersonation token of a thread. For more information,
see Impersonation.
You can use the following functions to manipulate access tokens.
F UN C T IO N DESC RIP T IO N
AdjustTokenGroups Changes the group information in an access token.
AdjustTokenPrivileges Enables or disables the privileges in an access token. It does

not grant new privileges or revoke existing ones.
CheckTokenMembership Determines whether a specified SID is enabled in a specified

access token.
CreateRestrictedToken Creates a new token that is a restricted version of an existing

token. The restricted token can have disabled SIDs, deleted
privileges, and a list of restricted SIDs.
DuplicateToken Creates a new impersonation token that duplicates an

existing token.
DuplicateTokenEx Creates a new primary token or impersonation token that

duplicates an existing token.
GetTokenInformation Retrieves information about a token.
IsTokenRestricted Determines whether a token has a list of restricting SIDs.
OpenProcessToken Retrieves a handle to the primary access token for a process.
OpenThreadToken Retrieves a handle to the impersonation access token for a

thread.
SetThreadToken Assigns or removes an impersonation token for a thread.
SetTokenInformation Changes a token's owner, primary group, or default DACL.
The access token functions use the following structures to describe the parts of an access token.
ST RUC T URE DESC RIP T IO N
TOKEN_CONTROL Information that identifies an access token.
TOKEN_DEFAULT_DACL The default DACL that the system uses in the security
descriptors of new objects created by a thread.
TOKEN_GROUPS Specifies the SIDs and attributes of the group SIDs in an

access token.
TOKEN_OWNER The default owner SID for the security descriptors of new
objects.
TOKEN_PRIMARY_GROUP The default primary group SID for the security descriptors of
new objects.
TOKEN_PRIVILEGES The privileges associated with an access token. Also

determines whether the privileges are enabled.
TOKEN_SOURCE The source of an access token.
TOKEN_STATISTICS Statistics associated with an access token.
TOKEN_USER The SID of the user associated with an access token.

The access token functions use the following enumeration types.
EN UM ERAT IO N T Y P E SP EC IF IES
TOKEN_INFORMATION_CL ASS Identifies the type of information being set or retrieved from
an access token.
TOKEN_TYPE Identifies an access token as a primary or impersonation

token.
Restricted Tokens
A restricted token is a primary or impersonation access token that has been modified by the
CreateRestrictedToken function. A process or impersonating thread running in the security context of a
restricted token is restricted in its ability to access securable objects or perform privileged operations. The
CreateRestrictedToken function can restrict a token in the following ways:
Remove privileges from the token.
Apply the deny-only attribute to SIDs in the token so that they cannot be used to access secured objects. For
more information about the deny-only attribute, see SID Attributes in an Access Token.
Specify a list of restricting SIDs, which can limit access to securable objects.
The system uses the list of restricting SIDs when it checks the token's access to a securable object. When a
restricted process or thread tries to access a securable object, the system performs two access checks: one using
the token's enabled SIDs, and another using the list of restricting SIDs. Access is granted only if both access
checks allow the requested access rights. For more information about access checks, see How DACLs Control
Access to an Object.
You can use a restricted primary token in a call to the CreateProcessAsUser function. Typically, the process
that calls CreateProcessAsUser must have the SE_ASSIGNPRIMARYTOKEN_NAME privilege, which is usually
held only by system code or by services running in the LocalSystem account. However, if the
CreateProcessAsUser call specifies a restricted version of the caller's primary token, this privilege is not
required. This enables ordinary applications to create restricted processes.
You can also use a restricted primary or impersonation token in the ImpersonateLoggedOnUser function.
To determine whether a token has a list of restricting SIDs, call the IsTokenRestricted function.
NOTE
Applications that use restricted tokens should run the restricted application on desktops other than the default desktop.
This is necessary to prevent an attack by a restricted application, using SendMessage or PostMessage , to unrestricted
applications on the default desktop. If necessary, switch between desktops for your application purposes.
SID Attributes in an Access Token
Each user and group security identifier (SID) in an access token has a set of attributes that control how the
system uses the SID in an access check. The following table lists the attributes that control access checking.
AT T RIB UT E DESC RIP T IO N
SE_GROUP_ENABLED A SID with this attribute is enabled for access checks. When
the system performs an access check, it checks for access-
allowed and access-denied access control entries (ACEs) that
apply to one of the enabled SIDs in the access token. A SID
without this attribute is ignored during an access check
unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.
SE_GROUP_USE_FOR_DENY_ONLY A SID with this attribute is a deny-only SID. When the

system performs an access check, it checks for access-denied
ACEs that apply to the SID, but it ignores access-allowed
ACEs for the SID. If this attribute is set, the
SE_GROUP_ENABLED attribute is not set and the SID cannot
be reenabled.
To set or clear the SE_GROUP_ENABLED attribute of a group SID, use the AdjustTokenGroups function. You
cannot disable a group SID that has the SE_GROUP_MANDATORY attribute. You cannot use
AdjustTokenGroups to disable the user SID of an access token.
To determine whether a SID is enabled in a token, that is, whether it has the SE_GROUP_ENABLED attribute, call
the CheckTokenMembership function.
To set the SE_GROUP_USE_FOR_DENY_ONLY attribute of a SID, include the SID in the list of deny-only SIDs that
you specify when you call the CreateRestrictedToken function. CreateRestrictedToken can apply the
SE_GROUP_USE_FOR_DENY_ONLY attribute to any SID, including the user SID and group SIDs that have the
SE_GROUP_MANDATORY attribute. However, you cannot remove the deny-only attribute from a SID, nor can
you use AdjustTokenGroups to set the SE_GROUP_ENABLED attribute on a deny-only SID.
To get the attributes of a SID, call the GetTokenInformation function with the TokenGroups value. The function
returns an array of SID_AND_ATTRIBUTES structures that identify the group SIDs and their attributes.
Access Rights for Access-Token Objects
An application cannot change the access control list of an object unless the application has the rights to do so.
These rights are controlled by a security descriptor in the access token for the object. For more information
about security, see Access Control Model.
To get or set the security descriptor for an access token, call the GetKernelObjectSecurity and
SetKernelObjectSecurity functions.
When you call the OpenProcessToken or OpenThreadToken function to get a handle to an access token, the
system checks the requested access rights against the DACL in the token's security descriptor.
The following are valid access rights for access-token objects:
The DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Access tokens do
not support the SYNCHRONIZE standard access right.
The ACCESS_SYSTEM_SECURITY right to get or set the SACL in the object's security descriptor.
The specific access rights for access tokens, which are listed in the following table.
VA L UE M EA N IN G
TOKEN_ADJUST_DEFAULT Required to change the default owner, primary group, or

DACL of an access token.
TOKEN_ADJUST_GROUPS Required to adjust the attributes of the groups in an

access token.
TOKEN_ADJUST_PRIVILEGES Required to enable or disable the privileges in an access

token.
TOKEN_ADJUST_SESSIONID Required to adjust the session ID of an access token. The

SE_TCB_NAME privilege is required.
TOKEN_ASSIGN_PRIMARY Required to attach a primary token to a process. The

SE_ASSIGNPRIMARYTOKEN_NAME privilege is also
required to accomplish this task.
TOKEN_DUPLICATE Required to duplicate an access token.
TOKEN_EXECUTE Same as STANDARD_RIGHTS_EXECUTE.
TOKEN_IMPERSONATE Required to attach an impersonation access token to a

process.
TOKEN_QUERY Required to query an access token.
TOKEN_QUERY_SOURCE Required to query the source of an access token.
TOKEN_READ Combines STANDARD_RIGHTS_READ and

TOKEN_QUERY.
VA L UE M EA N IN G
TOKEN_WRITE Combines STANDARD_RIGHTS_WRITE,

TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS,
and TOKEN_ADJUST_DEFAULT.
TOKEN_ALL_ACCESS Combines all possible access rights for a token.

A security descriptor contains the security information associated with a securable object. A security descriptor
consists of a SECURITY_DESCRIPTOR structure and its associated security information. A security descriptor
can include the following security information:
Security identifiers (SIDs) for the owner and primary group of an object.
A DACL that specifies the access rights allowed or denied to particular users or groups.
A SACL that specifies the types of access attempts that generate audit records for the object.
A set of control bits that qualify the meaning of a security descriptor or its individual members.
Applications must not directly manipulate the contents of a security descriptor. The Windows API provides
functions for setting and retrieving the security information in an object's security descriptor. In addition, there
are functions for creating and initializing a security descriptor for a new object.
Applications working with security descriptors on Active Directory objects can use the Windows security
functions or the security interfaces provided by the Active Directory Service Interfaces (ADSI). For more
information about ADSI security interfaces, see How Access Control Works in Active Directory.
Security Descriptor Operations
The Windows API provides functions for getting and setting the components of the security descriptor
associated with a securable object. Use the GetSecurityInfo and GetNamedSecurityInfo functions to retrieve
a pointer to an object's security descriptor. These functions can also retrieve pointers to the individual
components of the security descriptor: DACL, SACL, owner SID, and primary group SID. Use the
SetSecurityInfo and SetNamedSecurityInfo functions to set the components of an object's security
descriptor.
In general, you should use GetSecurityInfo and SetSecurityInfo with objects identified by a handle, and
SetNamedSecurityInfo and GetNamedSecurityInfo with objects identified by a name. For more
information about the specific functions to use when working with the various types of objects, see Securable
Objects.
The Windows API provides additional functions for manipulating the components of a security descriptor. For
information about working with access control lists (DACLs or SACLs), see Getting Information from an ACL and
Creating or Modifying an ACL. For information about SIDs, see Security Identifiers (SIDs).
To get the control information in a security descriptor, call the GetSecurityDescriptorControl function. To set
the control bits that relate to automatic ACE inheritance, call the SetSecurityDescriptorControl function.
Other control bits are set by the various functions that set a security descriptor component. For example, if you
use SetSecurityInfo to change an object's DACL, the function sets or clears the bits as appropriate to indicate
whether the security descriptor has a DACL, whether it is a default DACL, and so on. Another example is the
resource manager (RM) control bits contained in the security descriptor. These bits are used according to the
implementation of the resource manager, and are accessed through the GetSecurityDescriptorRMControl
and SetSecurityDescriptorRMControl functions.
Security Descriptors for New Objects
When you create a securable object, you can assign a security descriptor to the new object. The functions for
creating securable objects, such as CreateFile or RegCreateKeyEx , have a parameter that points to the
SECURITY_ATTRIBUTES structure that can contain a pointer to the new object's security descriptor. For sample
code that builds a security descriptor and then calls RegCreateKeyEx to assign the security descriptor to a new
registry key, see Creating a Security Descriptor for a New Object in C++.
The system component or server that manages the object can store the specified or default security descriptor
to make it a persistent attribute of the object. If an object's creator does not specify a security descriptor, the
system uses inherited or default security information to create a security descriptor. You can use functions to
change the information in an object's security descriptor.
Directory service objects, files, directories, registry keys, and desktops are securable objects that can have a
parent object. When you create one of these objects, the system checks for inheritable ACEs in the security
descriptor of the parent object. The system typically merges any inheritable ACEs into the ACLs of the new
object's security descriptor. You can prevent a DACL or SACL from inheriting ACEs by setting the
SE_DACL_PROTECTED or SE_SACL_PROTECTED bits in the security descriptor's control bits. For more
information, see ACE inheritance.
DACL for a New Object
The system uses the following algorithm to build a DACL for most types of new securable objects:
1. The object's DACL is the DACL from the security descriptor specified by the object's creator. The system
merges any inheritable ACEs into the specified DACL unless the SE_DACL_PROTECTED bit is set in the
security descriptor's control bits.
2. If the creator does not specify a security descriptor, the system builds the object's DACL from inheritable
ACEs.
3. If no security descriptor is specified and there are no inheritable ACEs, the object's DACL is the default DACL
from the primary or impersonation token of the creator.
4. If there is no specified, inherited, or default DACL, the system creates the object with no DACL, which allows
everyone full access to the object.
The system uses a different algorithm to build a DACL for a new Active Directory object. For more information,
see How Security Descriptors are Set on New Directory Objects.
SACL for a New Object
The system uses the following algorithm to build a SACL for most types of new securable objects:
1. The object's SACL is the SACL from the security descriptor specified by the object's creator. The system
merges any inheritable ACEs into the specified SACL unless the SE_SACL_PROTECTED bit is set in the security
descriptor's control bits. SYSTEM_RESOURCE_ATTRIBUTE_ACEs and SYSTEM_SCOPED_POLICY_ID_ACEs from
a parent object will be merged to a new object even if the SE_SACL_PROTECTED bit is set.
2. If the creator does not specify a security descriptor, the system builds the object's SACL from inheritable
ACEs.
3. If there is no specified or inherited SACL, the object has no SACL.
To specify a SACL for a new object, the object's creator must have the SE_SECURITY_NAME privilege enabled. If
the specified SACL for a new object contain only SYSTEM_RESOURCE_ATTRIBUTE_ACEs, then the
SE_SECURITY_NAME privilege is not required. The creator does not need this privilege if the object's SACL is
built from inherited ACEs.
The system uses a different algorithm to build a SACL for a new Active Directory object. For more information,
see How Security Descriptors are Set on New Directory Objects.
Owner of a New Object
An object's owner implicitly has WRITE_DAC access to the object. This means that the owner can modify the
object's discretionary access control list (DACL), and thus, can control access to the object.
The owner of a new object is the default owner security identifier (SID) from the primary or impersonation
token of the creating process. To get or set the default owner in an access token, call the GetTokenInformation
or SetTokenInformation function with the TOKEN_OWNER structure. The system does not allow you to set a
token's default owner to a SID that is not valid, such as the SID of another user's account.
A process with the SE_TAKE_OWNERSHIP privilege enabled can set itself as the owner of an object. A process
with the SE_RESTORE_NAME privilege enabled or with WRITE_OWNER access to the object can set any valid
user or group SID as the owner of an object.
Primary Group of a New Object
A new object's primary group is the primary group from the security descriptor specified by the object's creator.
If an object's creator does not specify a primary group, the object's primary group is the default primary group
from the creator's primary or impersonation token.
Security Descriptor Strings
A valid functional security descriptor contains security information in binary format. The Windows API provides
functions for converting binary security descriptors to and from text strings. Security descriptors in string
format are not functional, but they can be useful for storing or transporting security descriptor information.
To convert a security descriptor to a string format, call the
Conver tSecurityDescriptorToStringSecurityDescriptor function. To convert a string-format security
descriptor back to a valid functional security descriptor, call the
Conver tStringSecurityDescriptorToSecurityDescriptor function.
For more information, see Security Descriptor Definition Language.
An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and
specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable
object can contain two types of ACLs: a DACL and a SACL.
A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable
object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to
determine whether to grant access to it. If the object does not have a DACL, the system grants full access to
everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the
DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs
that allow all the requested access rights, or until any of the requested access rights are denied. For more
information, see How DACLs Control Access to an Object. For information about how to properly create a DACL,
see Creating a DACL.
A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE
specifies the types of access attempts by a specified trustee that cause the system to generate a record in the
security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds,
or both. For more information about SACLs, see Audit Generation and SACL Access Right.
Do not try to work directly with the contents of an ACL. To ensure that ACLs are semantically correct, use the
appropriate functions to create and manipulate ACLs. For more information, see Getting Information from an
ACL and Creating or Modifying an ACL.
ACLs also provide access control to Microsoft Active Directory directory service objects. Active Directory Service
Interfaces (ADSI) include routines to create and modify the contents of these ACLs. For more information, see
Controlling Access to Active Directory Objects.
Getting Information from an ACL
Several functions are provided that retrieve access control information from an access control list (ACL). These
include functions for determining the access rights that an ACL grants or audits for a specified trustee. Other
functions enable you to extract information about the access control entries (ACEs) in an ACL.
The GetExplicitEntriesFromAcl function retrieves an array of EXPLICIT_ACCESS structures that describe the
ACEs in an ACL. This can be useful when copying ACE information from one ACL to another. For example, a call
to GetExplicitEntriesFromAcl to get information about the ACEs in one ACL can be followed by passing the
returned EXPLICIT_ACCESS structures in a call to the SetEntriesInAcl function to create equivalent ACEs in a
new ACL.
The GetEffectiveRightsFromAcl function enables you to determine the effective access rights that a DACL
grants to a specified trustee. The trustee's effective access rights are the access rights that a DACL grants to the
trustee or to any groups of which the trustee is a member. GetEffectiveRightsFromAcl checks all access-
allowed and access-denied ACEs in the specified DACL.
Use the following steps to determine a trustee's access rights to an object
1. Call the GetSecurityInfo or GetNamedSecurityInfo function to get a pointer to an object's DACL.
2. Call the GetEffectiveRightsFromAcl function to retrieve the access rights that the DACL grants to a
specified trustee.
The GetAuditedPermissionsFromAcl function enables you to check a SACL to determine the audited access
rights for a specified trustee or for any groups of which the trustee is a member. The audited rights indicate the
types of access attempts that cause the system to generate an audit record in the security event log. The function
returns two access masks: one containing the access rights monitored for failed access attempts, and another
containing the access rights monitored for successful access. GetAuditedPermissionsFromAcl checks all
system-audit ACEs in a SACL.
Creating or Modifying an ACL
Windows supports a set of functions that create an access control list (ACL) or modify the access control entries
(ACEs) in an existing ACL.
The SetEntriesInAcl function creates a new ACL. SetEntriesInAcl can specify a completely new set of ACEs for
the ACL, or it can merge one or more new ACEs with the ACEs of an existing ACL. The SetEntriesInAcl function
uses an array of EXPLICIT_ACCESS structures to specify the information for the new ACEs. Each
EXPLICIT_ACCESS structure contains information that describes a single ACE. This information includes the
access rights, the type of ACE, the flags that control ACE inheritance, and a TRUSTEE structure that identifies the
trustee.
To add a new ACE to an existing ACL
1. Use the GetSecurityInfo or GetNamedSecurityInfo function to get the existing DACL or SACL from an
object's security descriptor.
2. For each new ACE, call the BuildExplicitAccessWithName function to fill an EXPLICIT_ACCESS structure
with the information that describes the ACE.
3. Call SetEntriesInAcl , specifying the existing ACL and an array of EXPLICIT_ACCESS structures for the new
ACEs. The SetEntriesInAcl function allocates and initializes the ACL and its ACEs.
4. Call the SetSecurityInfo or SetNamedSecurityInfo function to attach the new ACL to the object's security
descriptor.
If the caller specifies an existing ACL, SetEntriesInAcl merges the new ACE information with the existing ACEs
in the ACL. Consider the case, for example, in which the existing ACL grants access to a specified trustee and an
EXPLICIT_ACCESS structure denies access to the same trustee. In this case, SetEntriesInAcl adds a new
access-denied ACE for the trustee and deletes or modifies the existing access-allowed ACE for the trustee.
For sample code that merges a new ACE into an existing ACL, see Modifying the ACLs of an Object in C++.
An access control entry (ACE) is an element in an access control list (ACL). An ACL can have zero or more ACEs.
Each ACE controls or monitors access to an object by a specified trustee. For information about adding,
removing, or changing the ACEs in an object's ACLs, see Modifying the ACLs of an Object in C++.
There are six types of ACEs, three of which are supported by all securable objects. The other three types are
Object-specific ACEs supported by directory service objects.
All types of ACEs contain the following access control information:
A security identifier (SID) that identifies the trustee to which the ACE applies.
An access mask that specifies the access rights controlled by the ACE.
A flag that indicates the type of ACE.
A set of bit flags that determine whether child containers or objects can inherit the ACE from the primary
object to which the ACL is attached.
The following table lists the three ACE types supported by all securable objects.
TYPE DESC RIP T IO N
Access-denied ACE Used in a discretionary access control list (DACL) to deny

access rights to a trustee.
Access-allowed ACE Used in a DACL to allow access rights to a trustee.
System-audit ACE Used in a system access control list (SACL) to generate an

audit record when the trustee attempts to exercise the
specified access rights.
For a table of object-specific ACEs, see Object-specific ACEs.
NOTE
System-alarm object ACEs are not currently supported.
Trustees
A trustee is the user account, group account, or logon session to which an access control entry (ACE) applies.
Each ACE in an access control list (ACL) has one security identifier (SID) that identifies a trustee.
User accounts include accounts that human users or programs such as Windows Services use to log on to the
local computer.
Group accounts cannot be used to log on to a computer, but they are useful in ACEs to allow or deny a set of
access rights to one or more user accounts.
A logon SID that identifies the current logon session is useful to allow or deny access rights only until the user
logs off.
The access control functions use the TRUSTEE structure to identify a trustee. The TRUSTEE structure enables
you to use a name string or a SID to identify a trustee. If you use a name, the functions that create an ACE from
the TRUSTEE structure perform the task of allocating the SID buffers and looking up the SID that corresponds
to the account name. There are two helper functions, BuildTrusteeWithSid and BuildTrusteeWithName , that
initialize a TRUSTEE structure with a specified SID or name. BuildTrusteeWithObjectsAndSid and
BuildTrusteeWithObjectsAndName allow you to initialize a TRUSTEE structure with object-specific ACE
information. Three other helper functions, GetTrusteeForm , GetTrusteeName , and GetTrusteeType , retrieve
the values of the various members of a TRUSTEE structure.
The ptstrName member of the TRUSTEE structure can be a pointer to an OBJECTS_AND_NAME or
OBJECTS_AND_SID structure. These structures specify information about an object-specific ACE in addition to
a trustee name or SID. This enables functions such as SetEntriesInAcl and GetExplicitEntriesFromAcl to
store object-specific ACE information in the Trustee member of the EXPLICIT_ACCESS structure.
Object-specific ACEs
Object-specific ACEs are supported for directory service (DS) objects. An object-specific ACE contains a pair of
GUIDs that expand the ways in which the ACE can protect an object.
GUID DESC RIP T IO N
ObjectType Identifies one of the following:

A type of child object. The ACE controls the right to
create a specified type of child object. For more
information, see Controlling Child Object Creation in
C++.
A property set or property. The ACE controls the
right to read or write the property or property set.
For more information, see ACEs to Control Access to
an Object's Properties.
An extended right. The ACE controls the right to
perform the operation associated with the extended
right.
A validated write. The ACE controls the right to
perform certain write operations. These validated
write permissions, defined and exposed in the ACL
Editor, provide permissions for validated writes of
properties rather than unchecked low-level writes of
any value to a property that is granted with a "write
property" permission.
InheritedObjectType Indicates the type of child object that can inherit the ACE.
Inheritance is also controlled by the inheritance flags in the
ACE_HEADER, as well as by any protection against
inheritance placed on the child objects. For more
information, see ACE Inheritance.
Three types of object-specific ACEs are supported.
NOTE
System-alarm object ACEs are not currently supported.
Access-denied object ACE Used in a DACL to deny a trustee access to a property or

property set on the object, or to limit ACE inheritance to a
specified type of child object. Uses the
ACCESS_DENIED_OBJECT_ACE structure.
Access-allowed object ACE Used in a DACL to allow a trustee access to a property or

property set on the object, or to limit ACE inheritance to a
specified type of child object. Uses the
ACCESS_ALLOWED_OBJECT_ACE structure.
System-audit object ACE Used in a SACL to log a trustee's attempts to access a

property or property set on the object, or to limit ACE
inheritance to a specified type of child object. Uses the
SYSTEM_AUDIT_OBJECT_ACE structure.
Any ACL that contains an object-specific ACE must use the revision ACL_REVISION_DS.
Order of ACEs in a DACL
When a process tries to access a securable object, the system steps through the access control entries (ACEs) in
the object's discretionary access control list (DACL) until it finds ACEs that allow or deny the requested access.
The access rights that a DACL allows a user could vary depending on the order of ACEs in the DACL.
Consequently, the Windows XP operating system defines a preferred order for ACEs in the DACL of a securable
object. The preferred order provides a simple framework that ensures that an access-denied ACE actually denies
access. For more information about the system's algorithm for checking access, see How DACLs Control Access
to an Object.
For Windows Server 2003 and Windows XP, the proper order of ACEs is complicated by the introduction of
object-specific ACEs and automatic inheritance.
The following steps describe the preferred order:
1. All explicit ACEs are placed in a group before any inherited ACEs.
2. Within the group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs.
3. Inherited ACEs are placed in the order in which they are inherited. ACEs inherited from the child object's
parent come first, then ACEs inherited from the grandparent, and so on up the tree of objects.
4. For each level of inherited ACEs, access-denied ACEs are placed before access-allowed ACEs.
Of course, not all ACE types are required in an ACL.
Functions such as AddAccessAllowedAceEx and AddAccessAllowedObjectAce add an ACE to the end of an
ACL. It is the caller's responsibility to ensure that the ACEs are added in the proper order.
ACE Inheritance
An object's ACL can contain ACEs that it inherited from its parent container. For example, a registry subkey can
inherit ACEs from the key above it in the registry hierarchy. Likewise, a file in an NTFS file system can inherit
ACEs from the directory that contains it.
The ACE_HEADER structure of an ACE contains a set of inheritance flags that control ACE inheritance and the
effect of an ACE on the object to which it is attached. The system interprets the inheritance flags and other
inheritance information according to the rules of ACE inheritance.
These rules have been enhanced with the following features:
Support for automatic propagation of inheritable ACEs.
A flag that differentiates between inherited ACEs and ACEs that were directly applied to an object.
Object-specific ACEs that allow you to specify the type of child object that can inherit the ACE.
The ability to prevent a DACL or SACL from inheriting ACEs by setting the SE_DACL_PROTECTED or
SE_SACL_PROTECTED bits in the security descriptor's control bits except for
SYSTEM_RESOURCE_ATTRIBUTE_ACE and SYSTEM_SCOPED_POLICY_ID_ACE.
Automatic Propagation of Inheritable ACEs
The SetNamedSecurityInfo and SetSecurityInfo functions support automatic propagation of inheritable

access control entries (ACEs). For example, if you use these functions to add an inheritable ACE to a directory in
an NTFS, the system applies the ACE as appropriate to the access control lists (ACLs) of any existing
subdirectories or files.
Directly applied ACEs have precedence over inherited ACEs. The system implements this precedence by placing
directly applied ACEs ahead of inherited ACEs in a discretionary access control list (DACL). When you call the
SetNamedSecurityInfo and SetSecurityInfo functions to set the security information of an object, the
system imposes the current inheritance model on the ACLs of all objects in the hierarchy below the target
object. For objects that have been converted to the current inheritance model, the SE_DACL_AUTO_INHERITED
and SE_SACL_AUTO_INHERITED bits are set in the control field of the security descriptor of the object.
When you build a new security descriptor that reflects the current inheritance model, care is taken not to change
the semantics of the security descriptor. As such, allow and deny ACEs are never moved in relation to one
another. If such movement is needed (for instance to place all noninherited ACEs at the front of an ACL), the ACL
is marked as protected to prevent the semantic change.
The system uses the following rules when propagating inherited ACEs to child objects:
If a child object with no DACL inherits an ACE, the result is a child object with a DACL that contains only the
inherited ACE.
If a child object with an empty DACL inherits an ACE, the result is a child object with a DACL that contains
only the inherited ACE.
If you remove an inheritable ACE from a parent object, automatic inheritance removes any copies of the ACE
that were inherited by child objects.
If automatic inheritance results in the removal of all ACEs from the DACL of a child object, the child object
has an empty DACL rather than no DACL.
These rules can have the unexpected result of converting an object with no DACL to an object with an empty
DACL. An object with no DACL allows full access, but an object with an empty DACL allows no access. As an
example of how these rules can create an empty DACL, suppose you add an inheritable ACE to the root object of
a tree of objects. Automatic inheritance propagates the inheritable ACE to all the objects in the tree. Child objects
that started with no DACL now have a DACL with the inherited ACE. If you remove the inheritable ACE from the
root object, the system automatically propagates the change to the child objects. Child objects that started with
no DACL (allowing full access) now have an empty DACL (allowing no access).
To ensure that a child object with no DACL is not affected by inheritable ACEs, set the SE_DACL_PROTECTED flag
in the security descriptor of the object.
For information about how to properly create a DACL, see Creating a DACL.
ACE Inheritance Rules
The system propagates inheritable access control entries (ACEs) to child objects according to a set of inheritance
rules. The system places inherited ACEs in the discretionary access control list (DACL) of the child according to
the preferred order of ACEs in a DACL. The system sets the INHERITED_ACE flag in all inherited ACEs.
The ACEs inherited by container and noncontainer child objects differ, depending on the combinations of
inheritance flags. These inheritance rules work the same for both DACLs and system access control lists (SACLs).
PA REN T A C E F L A G EF F EC T O N C H IL D A C L
OBJECT_INHERIT_ACE only Noncontainer child objects: Inherited as an effective ACE.

Container child objects: Containers inherit an inherit-only
ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also
set.
CONTAINER_INHERIT_ACE only Noncontainer child objects: No effect on the child object.

Container child objects: The child object inherits an effective
ACE. The inherited ACE is inheritable unless the
NO_PROPAGATE_INHERIT_ACE bit flag is also set.
CONTAINER_INHERIT_ACE and OBJECT_INHERIT_ACE Noncontainer child objects: Inherited as an effective ACE.

Container child objects: The child object inherits an effective
ACE. The inherited ACE is inheritable unless the
NO_PROPAGATE_INHERIT_ACE bit flag is also set.
No inheritance flags set No effect on child container or noncontainer objects.
If an inherited ACE is an effective ACE for the child object, the system maps any generic rights to the specific
rights for the child object. Similarly, the system maps generic security identifiers (SIDs), such as
CREATOR_OWNER, to the appropriate SID. If an inherited ACE is an inherit-only ACE, any generic rights or
generic SIDs are left unchanged so that they can be mapped appropriately when the ACE is inherited by the next
generation of child objects.
For a case in which a container object inherits an ACE that is both effective on the container and inheritable by
its descendants, the container may inherit two ACEs. This occurs if the inheritable ACE contains generic
information. The container inherits an inherit-only ACE that contains the generic information and an effective-
only ACE in which the generic information has been mapped.
An object-specific ACE has an InheritedObjectType member that can contain a GUID to identify the type of
object that can inherit the ACE.
If the InheritedObjectType GUID is not specified, the inheritance rules for an object-specific ACE are the same
as for a standard ACE.
If the InheritedObjectType GUID is specified, the ACE is inheritable by objects that match the GUID if
OBJECT_INHERIT_ACE is set, and by containers that match the GUID if CONTAINER_INHERIT_ACE is set. Note
that currently only DS objects support object-specific ACEs, and the DS treats all object types as containers.
ACEs to Control Access to an Object's Properties
The discretionary access control list (DACL) of a directory service (DS) object can contain a hierarchy of access
control entries (ACEs), as follows:
1. ACEs that protect the object itself
2. Object-specific ACEs that protect a specified property set on the object
3. Object-specific ACEs that protect a specified property on the object
Within this hierarchy, the rights granted or denied at a higher level apply also to the lower levels. For example, if
an object-specific ACE on a property set allows a trustee the ADS_RIGHT_DS_READ_PROP right, the trustee has
implicit read access to all of the properties of that property set. Similarly, an ACE on the object itself that allows
ADS_RIGHT_DS_READ_PROP access gives the trustee read access to all of the object's properties.
The following illustration shows the tree of a hypothetical DS object and its property sets and properties.
Suppose you want to allow the following access to the properties of this DS object:
Allow Group A read/write permission to all of the object's properties
Allow everyone else read/write permission to all properties except Property D
To do this, set the ACEs in the object's DACL as shown in the following table.
T RUST EE O B JEC T GUID ACE TYPE A C C ESS RIGH T S
Group A None Access-allowed ACE ADS_RIGHT_DS_READ_PRO

P|
ADS_RIGHT_DS_WRITE_PRO
P
Everyone Property Set 1 Access-allowed object ACE ADS_RIGHT_DS_READ_PRO

P|
P
Everyone Property C Access-allowed object ACE ADS_RIGHT_DS_READ_PRO

P|
P
The ACE for Group A does not have an object GUID, which means that it allows access to all the object's
properties. The object-specific ACE for Property Set 1 allows everyone access to Properties A and B. The other
object-specific ACE allows everyone access to Property C. Note that although this DACL does not have any
access-denied ACEs, it implicitly denies Property D access to everyone except Group A.
When a user tries to access an object's property, the system checks the ACEs, in order, until the requested access
is explicitly granted, denied, or there are no more ACEs, in which case, access is implicitly denied.
The system evaluates:
ACEs that apply to the object itself
Object-specific ACEs that apply to the property set that contains the property being accessed
Object-specific ACEs that apply to the property being accessed
The system ignores object-specific ACEs that apply to other property sets or properties.
An access right is a bit flag that corresponds to a particular set of operations that a thread can perform on a
securable object. For example, a registry key has the KEY_SET_VALUE access right, which corresponds to the
ability of a thread to set a value under the key. If a thread tries to perform an operation on an object, but does
not have the necessary access right to the object, the system does not carry out the operation.
An access mask is a 32-bit value whose bits correspond to the access rights supported by an object. All
Windows securable objects use an access mask format that includes bits for the following types of access rights:
Generic access rights
Standard access rights
SACL access right
Directory services access rights
When a thread tries to open a handle to an object, the thread typically specifies an access mask to request a set
of access rights. For example, an application that needs to set and query the values of a registry key can open
the key by using an access mask to request the KEY_SET_VALUE and KEY_QUERY_VALUE access rights.
The following table shows the functions that manipulate the security information for each type of securable
object.
O B JEC T T Y P E SEC URIT Y DESC RIP TO R F UN C T IO N S
Files or directories on an NTFS file system GetNamedSecurityInfo , SetNamedSecurityInfo ,

GetSecurityInfo , SetSecurityInfo
Named pipesAnonymous pipes GetSecurityInfo , SetSecurityInfo
Console screen buffers Not supported.
ProcessesThreads GetSecurityInfo , SetSecurityInfo
File-mapping objects GetNamedSecurityInfo , SetNamedSecurityInfo ,

Access tokens SetKernelObjectSecurity , GetKernelObjectSecurity
Window-management objects (window stations and GetSecurityInfo , SetSecurityInfo

desktops)
Registry keys GetNamedSecurityInfo , SetNamedSecurityInfo ,

Windows services GetNamedSecurityInfo , SetNamedSecurityInfo ,

Local or remote printers GetNamedSecurityInfo , SetNamedSecurityInfo ,

Network shares GetNamedSecurityInfo , SetNamedSecurityInfo ,

Interprocess synchronization objects (events, mutexes, GetNamedSecurityInfo , SetNamedSecurityInfo ,

semaphores, and waitable timers) GetSecurityInfo , SetSecurityInfo
Job objects GetNamedSecurityInfo , SetNamedSecurityInfo ,

Access Mask Format
All securable objects arrange their access rights by using the access mask format shown in the following
illustration.
In this format, the low-order 16 bits are for object-specific access rights, the next 8 bits are for standard access
rights, which apply to most types of objects, and the 4 high-order bits are used to specify generic access rights
that each object type can map to a set of standard and object-specific rights. The ACCESS_SYSTEM_SECURITY bit
corresponds to the right to access the object's SACL.
Generic Access Rights
Securable objects use an access mask format in which the four high-order bits specify generic access rights.
Each type of securable object maps these bits to a set of its standard and object-specific access rights. For
example, a Windows file object maps the GENERIC_READ bit to the READ_CONTROL and SYNCHRONIZE
standard access rights and to the FILE_READ_DATA, FILE_READ_EA, and FILE_READ_ATTRIBUTES object-specific
access rights. Other types of objects map the GENERIC_READ bit to whatever set of access rights is appropriate
for that type of object.
You can use generic access rights to specify the type of access you need when you are opening a handle to an
object. This is typically simpler than specifying all the corresponding standard and specific rights.
The following table shows the constants defined for the generic access rights.
C O N STA N T GEN ERIC M EA N IN G
GENERIC_ALL All possible access rights
GENERIC_EXECUTE Execute access
GENERIC_READ Read access
GENERIC_WRITE Write access
Applications that define private securable objects can also use the generic access rights.
Standard Access Rights
Each type of securable object has a set of access rights that correspond to operations specific to that type of
object. In addition to these object-specific access rights, there is a set of standard access rights that correspond
to operations common to most types of securable objects.
The access mask format includes a set of bits for the standard access rights. The following Windows constants
for standard access rights are defined in Winnt.h.
C O N STA N T M EA N IN G
DELETE The right to delete the object.
READ_CONTROL The right to read the information in the object's security

descriptor, not including the information in the system
access control list (SACL).
SYNCHRONIZE The right to use the object for synchronization. This enables
a thread to wait until the object is in the signaled state.
Some object types do not support this access right.
WRITE_DAC The right to modify the discretionary access control list

(DACL) in the object's security descriptor.
WRITE_OWNER The right to change the owner in the object's security

descriptor.
Winnt.h also defines the following combinations of the standard access rights constants.
C O N STA N T M EA N IN G
STANDARD_RIGHTS_ALL Combines DELETE, READ_CONTROL, WRITE_DAC,

WRITE_OWNER, and SYNCHRONIZE access.
STANDARD_RIGHTS_EXECUTE Currently defined to equal READ_CONTROL.
STANDARD_RIGHTS_READ Currently defined to equal READ_CONTROL.
STANDARD_RIGHTS_REQUIRED Combines DELETE, READ_CONTROL, WRITE_DAC, and

WRITE_OWNER access.
STANDARD_RIGHTS_WRITE Currently defined to equal READ_CONTROL.

SACL Access Right
The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security
descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access
token of the requesting thread.
To access an object's SACL
1. Call the AdjustTokenPrivileges function to enable the SE_SECURITY_NAME privilege.
2. Request the ACCESS_SYSTEM_SECURITY access right when you open a handle to the object.
3. Get or set the object's SACL by using a function such as GetSecurityInfo or SetSecurityInfo .
4. Call AdjustTokenPrivileges to disable the SE_SECURITY_NAME privilege.
To access a SACL using the GetNamedSecurityInfo or SetNamedSecurityInfo functions, enable the
SE_SECURITY_NAME privilege. The function internally requests the access right.
The ACCESS_SYSTEM_SECURITY access right is not valid in a DACL because DACLs do not control access to a
SACL. However, you can use the ACCESS_SYSTEM_SECURITY access right in a SACL to audit attempts to use the
access right.
Directory Services Access Rights
Each Active Directory object has a security descriptor assigned to it. A set of trustee rights specific to directory
service objects can be set within these security descriptors. These rights are listed in the following table. For
more information, see Control Access Rights.
RIGH T S M EA N IN G
ACTRL_DS_OPEN Open a DS object.
ACTRL_DS_CREATE_CHILD Create a child DS object.
ACTRL_DS_DELETE_CHILD Delete a child DS object.
ACTRL_DS_LIST Enumerate a DS object.
ACTRL_DS_READ_PROP Read the properties of a DS object.
ACTRL_DS_WRITE_PROP Write properties for a DS object.
ACTRL_DS_SELF Access allowed only after validated rights checks supported

by the object are performed. This flag can be used alone to
perform all validated rights checks of the object or it can be
combined with an identifier of a specific validated right to
perform only that check.
ACTRL_DS_DELETE_TREE Delete a tree of DS objects.
ACTRL_DS_LIST_OBJECT List a tree of DS objects.
ACTRL_DS_CONTROL_ACCESS Access allowed only after extended rights checks supported

by the object are performed. This flag can be used alone to
perform all extended rights checks on the object or it can be
combined with an identifier of a specific extended right to
perform only that check.
Requesting Access Rights to an Object
When you open a handle to an object, the returned handle has some combination of access rights to the object.
Some functions, such as CreateSemaphore , do not require a specific set of requested access rights. These
functions always try to open the handle for full access. Other functions, such as CreateFile and OpenProcess ,
allow you to specify the set of access rights that you want. You should request only the access rights that you
need, rather than opening a handle for full access. This prevents using the handle in an unintended way, and
increases the chances that the access request will succeed if the object's DACL only allows limited access.
Use generic access rights to specify the type of access needed when opening a handle to an object. This is
typically simpler than specifying all the corresponding standard and specific rights. Alternatively, use the
MAXIMUM_ALLOWED constant to request that the object be opened with all the access rights that are valid for
the caller.
NOTE
The MAXIMUM_ALLOWED constant cannot be used in an ACE.
To get or set the SACL in an object's security descriptor, request the ACCESS_SYSTEM_SECURITY access right
when opening a handle to the object.
The Dynamic Access Control (DAC) scenario enables centralized access control administration for enterprise file
server scenarios. Most organizations have multiple areas in which they want to control access.
Examples are:
Controlling access to sensitive information, in which files marked as sensitive would have specific
permissions
Controlling access to files containing personally identifiable information (PII.)
Limiting access to documents based on the organizations retention policies.
Several new authorization policy abstractions are provided to allow an administrator to define these policies
centrally and to simplify the definition process by allowing each of these access requirements to be defined and
maintained separately but applied as one policy.
Two new Active Directory policy objects, a central authorization policy (cap) and a central authorization policy
rule (capr) are introduced in windows 8 to define and apply centralized authorization policies based on
expressions of claims and resource attributes. in using these objects an administrator defines a capr as a specific
authorization policy that can be applied to resources that have a certain attribute or satisfy a certain applicability
condition. for example documents labeled as "high business impact". capes may be defined for each desired
access control policy in an organization that can be expressed, and the resources to which it should be applied
can be identified, in terms of windows 8 dac expressions. a cap is collection of caprs that can be applied together
on resources. the following diagram shows the relationships of the cap and cape, and the conceptual steps
involved in defining and applying these objects to file resources.
Central Authorization Policies
A Central Authorization Policy (CAP) collects the specific authorization rules (CAPRs) into a single policy. To allow
the specific authorization rules (CAPRs) to be combined into the holistic authorization policy of the organization,
CAPRs can be referenced together and applied to a set of resources. This is done by collecting multiple (by
reference) into a CAP. Once a CAP is defined it can be distributed consumed by resource managers to apply the
organizations authorization policy to resources.
A CAP has the following attributes:
Collection of CAPRs – a list of references to existing CAPR objects
An identifier (Sid)
Description
Name
A CAP is evaluated during access evaluation for files and folders on which an administrator enables it. During an
AccessCheck call, the CAP check is logically combined with the discretionary ACL check; this means that in
order to obtain access to a file to which the CAP applies, a user needs to have access both according to the CAP
(its associated CAPRs) and the discretionary ACL on the file.
Example CAP:
CORPORATE-FINANCE-CAP]
CAPID=S-1-5-3-4-56-45-67-123
Policies=HBI-CAPE;RETENTION-CAPR
CAP Definition
A CAP is created and edited in Active Directory using a new UX in ADAC (or PowerShell) that allows the
administrator to create a CAP and specify a set of CAPRs that make up the CAP.
Central Authorization Policy Rule
The purpose of the Central Authorization Policy Rule (CAPR) is to provide a domain-wide definition of an
isolated aspect of the organization's authorization policy. The administrator defines the CAPR to enforce one of
the specific authorization requirements. Since the CAPR defines only one specific desired requirement of the
authorization policy it can be more simply defined and understood than if all the authorization policy
requirements of the organization are compiled into a single policy definition.
The CAPR has the following attributes:
Name – identifies the CAPR to the administrators.
Description – defines the purpose of the CAPR and any information that may be needed by consumers of the
CAPR.
Applicability Expression – defines the resources or situations in which the policy will be applied.
ID – identifier for use in auditing of changes to the CAPR.
Effective Access Control Policy – a Windows security descriptor containing a DACL that defines the effective
authorization policy.
Exception Expression – one or more expressions that provide a means to override the policy and grant access
to a principal according to the evaluation of the expression.
Staging Policy – an optional Windows security descriptor containing a DACL that defines a proposed
authorization policy (list of access control entries) that will be tested against the effective policy but not
enforced. If there is a difference between the results of the effective policy and the staging policy the
difference will be recorded in the audit event log.
Since staging can have an unpredictable effect on system performance, a Group Policy administrator
must be able to select specific machines on which staging will be in effect. This allows the existing
policy to be in place on most machines in an OU while staging is happening on a subset of the
machines.
P2 – A local administrator on a particular machine should be able to disable staging if staging on that
machine is causing too much of a performance degradation.
Backlink to CAP – A list of backlinks to any CAPs that may be referring to this CAPR.
During access check, the CAPR is be evaluated for applicability based on the applicability expression. If a CAPR is
applicable, it is evaluated for whether it provides the requesting user the requested access to the identified
resource. The results of the CAPE evaluation is then logically joined by AND with the results of the DACL on the
resource and any other applicable CAPRs in effect on the resource.
Example CAPRs:
[HBI-POLICY]
APPLIES-TO="(@resource.confidentiality == HBI"
SD ="D:(A;;FA;;;AU;(@memberOf("Smartcard Logon")))"
StagingSD = "D:(A;;FA;;;AU;(@memberOf("Smartcard Logon") AND memberOfAny(Resource.ProjectGroups)))"
description="Control access to sensitive information"
[RETENTION-POLICY]
Applies-To="@resource.retention == true"
SD ="D:(A;;;FA;;BA)(A;;FR;;;WD)"
description="If the document is marked for retention, then it is read-only for everyone however Local Admins
have
full control to them to put them out of retention when the time comes"
[TEST-FINANCE-POLICY]
Applies-To="@resource.label == 'finance'"
SD="D:(A;;FA;;;AU;(member_of(FinanceGroup))"
description="Department: Only employees of the finance department should be able to read documents labeled
as finance"
Deny ACEs in CAPEs

In Windows 8 deny ACEs will not be supported in a CAPR. The CAPR authoring UX will not allow creation of a
deny ACE. Additionally, when the LSA retrieves the CAP from Active Directory, LSA will verify that no CAPRs
have deny ACEs. If a deny ACE is found in a CAPR then the CAP will be treated as invalid and not be copied to
the registry or SRM.
NOTE
The access check will not enforce that no deny ACEs are present. Deny ACEs in a CAPR will be applied. It is expected that
authoring tools will prevent this from happening.
CAPE Definition
CAPRs are created though a new UX provided in Active Directory Administrative Center (ADAC.) In ADAC a new
task option is provided to create a CAPR. When this task is selected, ADAC will prompt the user with a dialog
asking the user for a CAPR name and a description. When these are provided, the controls to define any of the
remaining CAPR elements become enabled. For each of the remaining CAPR elements, the UX will call out to the
ACL-UI to allow definition of expression and/or ACLs.
Related topics
AccessCheck
Dynamic Access Control (DAC) scenario
A security identifier (SID) is a unique value of variable length used to identify a trustee. Each account has a
unique SID issued by an authority, such as a Windows domain controller, and stored in a security database. Each
time a user logs on, the system retrieves the SID for that user from the database and places it in the access token
for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with
Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used
again to identify another user or group.
Windows security uses SIDs in the following security elements:
In security descriptors to identify the owner of an object and primary group
In access control entries, to identify the trustee for whom access is allowed, denied, or audited
In access tokens, to identify the user and the groups to which the user belongs
In addition to the uniquely created, domain-specific SIDs assigned to specific users and groups, there are well-
known SIDs that identify generic groups and generic users. For example, the well-known SIDs, Everyone and
World, identify a group that includes all users.
Most applications never need to work with SIDs. Because the names of well-known SIDs can vary, you should
use the functions to build the SID from predefined constants rather than using the name of the well-known SID.
For example, the U.S. English version of the Windows operating system has a well-known SID named
"BUILTIN\Administrators" that might have a different name on international versions of the system. For an
example that builds a well-known SID, see Searching for a SID in an Access Token in C++.
If you do need to work with SIDs, do not manipulate them directly. Instead, use the following functions.
AllocateAndInitializeSid Allocates and initializes a SID with the specified number of

subauthorities.
Conver tSidToStringSid Converts a SID to a string format suitable for display,

storage, or transport.
Conver tStringSidToSid Converts a string-format SID to a valid, functional SID.
CopySid Copies a source SID to a buffer.
EqualPrefixSid Tests two SID prefix values for equality. A SID prefix is the
entire SID except for the last subauthority value.
EqualSid Tests two SIDs for equality. They must match exactly to be
considered equal.
FreeSid Frees a previously allocated SID by using the

AllocateAndInitializeSid function.
GetLengthSid Retrieves the length of a SID.

GetSidIdentifierAuthority Retrieves a pointer to the identifier authority for a SID.
GetSidLengthRequired Retrieves the size of the buffer required to store a SID with a
specified number of subauthorities.
GetSidSubAuthority Retrieves a pointer to a specified subauthority in a SID.
GetSidSubAuthorityCount Retrieves the number of subauthorities in a SID.
InitializeSid Initializes a SID structure.
IsValidSid Tests the validity of a SID by verifying that the revision

number is within a known range and that the number of
subauthorities is less than the maximum.
LookupAccountName Retrieves the SID that corresponds to a specified account

name.
LookupAccountSid Retrieves the account name that corresponds to a specified

SID.
SID Components
A SID value includes components that provide information about the SID structure and components that
uniquely identify a trustee. A SID consists of the following components:
The revision level of the SID structure
A 48-bit identifier authority value that identifies the authority that issued the SID
A variable number of subauthority or relative identifier (RID) values that uniquely identify the trustee relative
to the authority that issued the SID
The combination of the identifier authority value and the subauthority values ensures that no two SIDs will be
the same, even if two different SID-issuing authorities issue the same combination of RID values. Each SID-
issuing authority issues a given RID only once.
SIDs are stored in binary format in a SID structure. To display a SID, you can call the Conver tSidToStringSid
function to convert a binary SID to string format. To convert a SID string back to a valid, functional SID, call the
Conver tStringSidToSid function.
These functions use the following standardized string notation for SIDs, which makes it simpler to visualize their
components:
S-R -I-S …
In this notation, the literal character "S" identifies the series of digits as a SID, R is the revision level, I is the
identifier-authority value, and S … is one or more subauthority values.
The following example uses this notation to display the well-known domain-relative SID of the local
Administrators group:
S-1-5-32-544
In this example, the SID has the following components. The constants in parentheses are well-known identifier
authority and RID values defined in Winnt.h:
A revision level of 1
An identifier-authority value of 5 (SECURITY_NT_AUTHORITY)
A first subauthority value of 32 (SECURITY_BUILTIN_DOMAIN_RID)
A second subauthority value of 544 (DOMAIN_ALIAS_RID_ADMINS)
Well-known SIDs
Well-known security identifiers (SIDs) identify generic groups and generic users. For example, there are well-
known SIDs to identify the following groups and users:
Everyone or World, which is a group that includes all users.
CREATOR_OWNER, which is used as a placeholder in an inheritable ACE. When the ACE is inherited, the
system replaces the CREATOR_OWNER SID with the SID of the object's creator.
The Administrators group for the built-in domain on the local computer.
There are universal well-known SIDs, which are meaningful on all secure systems using this security model,
including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful
only on Windows systems.
The Windows API defines a set of constants for well-known identifier authority and relative identifier (RID)
values. You can use these constants to create well-known SIDs. The following example combines the
SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants to show the universal well-known
SID for the special group representing all users (Everyone or World):
S-1-1-0
This example uses the string notation for SIDs in which S identifies the string as a SID, the first 1 is the revision
level of the SID, and the remaining two digits are the SECURITY_WORLD_SID_AUTHORITY and
SECURITY_WORLD_RID constants.
You can use the AllocateAndInitializeSid function to build a SID by combining an identifier authority value
with up to eight subauthority values. For example, to determine whether the logged-on user is a member of a
particular well-known group, call AllocateAndInitializeSid to build a SID for the well-known group and use
the EqualSid function to compare that SID to the group SIDs in the user's access token. For an example, see
Searching for a SID in an Access Token in C++. You must call the FreeSid function to free a SID allocated by
AllocateAndInitializeSid .
The remainder of this section contains tables of well-known SIDs and tables of identifier authority and
subauthority constants that you can use to build well-known SIDs.
The following are some universal well-known SIDs.
UN IVERSA L W EL L - K N O W N SID ST RIN G VA L UE IDEN T IF IES
Null SID S-1-0-0 A group with no members. This is

often used when a SID value is not
known.
World S-1-1-0 A group that includes all users.
Local S-1-2-0 Users who log on to terminals locally

(physically) connected to the system.
Creator Owner ID S-1-3-0 A security identifier to be replaced by

the security identifier of the user who
created a new object. This SID is used
in inheritable ACEs.
UN IVERSA L W EL L - K N O W N SID ST RIN G VA L UE IDEN T IF IES
Creator Group ID S-1-3-1 A security identifier to be replaced by

the primary-group SID of the user
who created a new object. Use this SID
in inheritable ACEs.
The following table lists the predefined identifier authority constants. The first four values are used with
universal well-known SIDs; the last value is used with Windows well-known SIDs.
IDEN T IF IER A UT H O RIT Y VA L UE ST RIN G VA L UE
SECURITY_NULL_SID_AUTHORITY 0 S-1-0
SECURITY_WORLD_SID_AUTHORITY 1 S-1-1
SECURITY_LOCAL_SID_AUTHORITY 2 S-1-2
SECURITY_CREATOR_SID_AUTHORITY 3 S-1-3
SECURITY_NT_AUTHORITY 5 S-1-5
The following RID values are used with universal well-known SIDs. The Identifier authority column shows the
prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
REL AT IVE IDEN T IF IER A UT H O RIT Y VA L UE ST RIN G VA L UE
SECURITY_NULL_RID 0 S-1-0
SECURITY_WORLD_RID 0 S-1-1
SECURITY_LOCAL_RID 0 S-1-2
SECURITY_LOCAL_LOGON_RID 1 S-1-2
SECURITY_CREATOR_OWNER_RID 0 S-1-3
SECURITY_CREATOR_GROUP_RID 1 S-1-3
The SECURITY_NT_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal but
are meaningful only on Windows installations. You can use the following RID values with
SECURITY_NT_AUTHORITY to create well-known SIDs.
C O N STA N T ST RIN G VA L UE IDEN T IF IES
SECURITY_DIALUP_RID S-1-5-1 Users who log on to terminals using a

dial-up modem. This is a group
identifier.
SECURITY_NETWORK_RID S-1-5-2 Users who log on across a network.

This is a group identifier added to the
token of a process when it was logged
on across a network. The
corresponding logon type is
LOGON32_LOGON_NETWORK.
SECURITY_BATCH_RID S-1-5-3 Users who log on using a batch queue

facility. This is a group identifier added
to the token of a process when it was
logged as a batch job. The
LOGON32_LOGON_BATCH.
SECURITY_INTERACTIVE_RID S-1-5-4 Users who log on for interactive

operation. This is a group identifier
added to the token of a process when
it was logged on interactively. The
LOGON32_LOGON_INTERACTIVE.
SECURITY_LOGON_IDS_RID S-1-5-5-X-Y A logon session. This is used to ensure

that only processes in a given logon
session can gain access to the window-
station objects for that session. The X
and Y values for these SIDs are
different for each logon session. The
value
SECURITY_LOGON_IDS_RID_COUNT is
the number of RIDs in this identifier
(5-X-Y).
SECURITY_SERVICE_RID S-1-5-6 Accounts authorized to log on as a

service. This is a group identifier added
to the token of a process when it was
logged as a service. The corresponding
logon type is
LOGON32_LOGON_SERVICE.
SECURITY_ANONYMOUS_LOGON_RID S-1-5-7 Anonymous logon, or null session

logon.
SECURITY_PROXY_RID S-1-5-8 Proxy.
SECURITY_ENTERPRISE_CONTROLLERS S-1-5-9 Enterprise controllers.

_RID
SECURITY_PRINCIPAL_SELF_RID S-1-5-10 The PRINCIPAL_SELF security identifier

can be used in the ACL of a user or
group object. During an access check,
the system replaces the SID with the
SID of the object. The PRINCIPAL_SELF
SID is useful for specifying an
inheritable ACE that applies to the user
or group object that inherits the ACE.
It the only way of representing the SID
of a created object in the default
security descriptor of the schema.
SECURITY_AUTHENTICATED_USER_RID S-1-5-11 The authenticated users.
SECURITY_RESTRICTED_CODE_RID S-1-5-12 Restricted code.
SECURITY_TERMINAL_SERVER_RID S-1-5-13 Terminal Services. Automatically added

to the security token of a user who
logs on to a terminal server.
SECURITY_LOCAL_SYSTEM_RID S-1-5-18 A special account used by the

operating system.
SECURITY_NT_NON_UNIQUE S-1-5-21 SIDS are not unique.
SECURITY_BUILTIN_DOMAIN_RID S-1-5-32 The built-in system domain.
SECURITY_WRITE_RESTRICTED_CODE_ S-1-5-33 Write restricted code.

RID
The following RIDs are relative to each domain.
RID VA L UE IDEN T IF IES
DOMAIN_ALIAS_RID_CERTSVC_DCOM 0x0000023E The group of users who can connect to

_ACCESS_GROUP certification authorities using
Distributed Component Object Model
(DCOM).
DOMAIN_USER_RID_ADMIN 0x000001F4 The administrative user account in a

domain.
DOMAIN_USER_RID_GUEST 0x000001F5 The guest-user account in a domain.

Users who do not have an account can
automatically log on to this account.
DOMAIN_GROUP_RID_ADMINS 0x00000200 The domain administrators' group. This

account exists only on systems
running server operating systems.
DOMAIN_GROUP_RID_USERS 0x00000201 A group that contains all user accounts

in a domain. All users are automatically
added to this group.
DOMAIN_GROUP_RID_GUESTS 0x00000202 The guest-group account in a domain.
DOMAIN_GROUP_RID_COMPUTERS 0x00000203 The domain computers' group. All

computers in the domain are members
of this group.
DOMAIN_GROUP_RID_CONTROLLERS 0x00000204 The domain controllers' group. All DCs

in the domain are members of this
group.
DOMAIN_GROUP_RID_CERT_ADMINS 0x00000205 The certificate publishers' group.

Computers running Certificate Services
are members of this group.
DOMAIN_GROUP_RID_ENTERPRISE_RE 0x000001F2 The group of enterprise read-only

ADONLY_DOMAIN_CONTROLLERS domain controllers.
DOMAIN_GROUP_RID_SCHEMA_ADM 0x00000206 The schema administrators' group.

INS Members of this group can modify the
Active Directory schema.
DOMAIN_GROUP_RID_ENTERPRISE_A 0x00000207 The enterprise administrators' group.

DMINS Members of this group have full access
to all domains in the Active Directory
forest. Enterprise administrators are
responsible for forest-level operations
such as adding or removing new
domains.
DOMAIN_GROUP_RID_POLICY_ADMI 0x00000208 The policy administrators' group.

NS
DOMAIN_GROUP_RID_READONLY_C 0x00000209 The group of read-only domain

ONTROLLERS controllers.
DOMAIN_GROUP_RID_CLONEABLE_C 0x0000020A The group of cloneable domain

ONTROLLERS controllers.
DOMAIN_GROUP_RID_CDC_RESERVE 0x0000020C The reserved CDC group.

D
DOMAIN_GROUP_RID_PROTECTED_U 0x0000020D The protected users group.

SERS
DOMAIN_GROUP_RID_KEY_ADMINS 0x0000020E The key admins group.
DOMAIN_GROUP_RID_ENTERPRISE_KE 0x0000020F The enterprise key admins group

Y_ADMINS
The following RIDs are used to specify mandatory integrity level.
SECURITY_MANDATORY_UNTRUSTED_ 0x00000000 Untrusted.

RID
SECURITY_MANDATORY_LOW_RID 0x00001000 Low integrity.
SECURITY_MANDATORY_MEDIUM_RI 0x00002000 Medium integrity.

D
SECURITY_MANDATORY_MEDIUM_PL SECURITY_MANDATORY_MEDIUM_RI Medium high integrity.

US_RID D + 0x100
SECURITY_MANDATORY_HIGH_RID 0X00003000 High integrity.
SECURITY_MANDATORY_SYSTEM_RID 0x00004000 System integrity.
SECURITY_MANDATORY_PROTECTED_ 0x00005000 Protected process.

PROCESS_RID
The following table has examples of domain-relative RIDs that you can use to form well-known SIDs for local
groups (aliases). For more information about local and global groups, see Local Group Functions and Group
Functions.
RID VA L UE ST RIN G VA L UE IDEN T IF IES
DOMAIN_ALIAS_RID_ADMI 0x00000220 S-1-5-32-544 A local group used for

NS administration of the
domain.
DOMAIN_ALIAS_RID_USERS 0x00000221 S-1-5-32-545 A local group that

represents all users in the
domain.
DOMAIN_ALIAS_RID_GUES 0x00000222 S-1-5-32-546 A local group that

TS represents guests of the
domain.
DOMAIN_ALIAS_RID_POWE 0x00000223 S-1-5-32-547 A local group used to

R_USERS represent a user or set of
users who expect to treat a
system as if it were their
personal computer rather
than as a workstation for
multiple users.
DOMAIN_ALIAS_RID_ACCO 0x00000224 S-1-5-32-548 A local group that exists

UNT_OPS only on systems running
server operating systems.
This local group permits
control over
nonadministrator accounts.
DOMAIN_ALIAS_RID_SYSTE 0x00000225 S-1-5-32-549 A local group that exists

M_OPS only on systems running
This local group performs
system administrative
functions, not including
security functions. It
establishes network shares,
controls printers, unlocks
workstations, and performs
other operations.
DOMAIN_ALIAS_RID_PRINT 0x00000226 S-1-5-32-550 A local group that exists

_OPS only on systems running
This local group controls
printers and print queues.
DOMAIN_ALIAS_RID_BACK 0x00000227 S-1-5-32-551 A local group used for

UP_OPS controlling assignment of
file backup-and-restore
privileges.
DOMAIN_ALIAS_RID_REPLI 0x00000228 S-1-5-32-552 A local group responsible

CATOR for copying security
databases from the primary
domain controller to the
backup domain controllers.
These accounts are used
only by the system.
DOMAIN_ALIAS_RID_RAS_S 0x00000229 S-1-5-32-553 A local group that

ERVERS represents RAS and IAS
servers. This group permits
access to various attributes
of user objects.
DOMAIN_ALIAS_RID_PREW 0x0000022A S-1-5-32-554 A local group that exists

2KCOMPACCESS only on systems running
Windows 2000 Server. For
more information, see
Allowing Anonymous
Access.
DOMAIN_ALIAS_RID_REMO 0x0000022B S-1-5-32-555 A local group that

TE_DESKTOP_USERS represents all remote
desktop users.
DOMAIN_ALIAS_RID_NETW 0x0000022C S-1-5-32-556 A local group that

ORK_CONFIGURATION_OP represents the network
S configuration.
DOMAIN_ALIAS_RID_INCO 0x0000022D S-1-5-32-557 A local group that

MING_FOREST_TRUST_BUIL represents any forest trust
DERS users.
DOMAIN_ALIAS_RID_MONI 0x0000022E S-1-5-32-558 A local group that

TORING_USERS represents all users being
monitored.
DOMAIN_ALIAS_RID_LOGG 0x0000022F S-1-5-32-559 A local group responsible

ING_USERS for logging users.
DOMAIN_ALIAS_RID_AUTH 0x00000230 S-1-5-32-560 A local group that

ORIZATIONACCESS represents all authorized
access.
DOMAIN_ALIAS_RID_TS_LI 0x00000231 S-1-5-32-561 A local group that exists

CENSE_SERVERS only on systems running
server operating systems
that allow for terminal
services and remote access.
DOMAIN_ALIAS_RID_DCO 0x00000232 S-1-5-32-562 A local group that

M_USERS represents users who can
use Distributed Component
Object Model (DCOM).
DOMAIN_ALIAS_RID_IUSER 0X00000238 S-1-5-32-568 A local group that

S represents Internet users.
DOMAIN_ALIAS_RID_CRYP 0x00000239 S-1-5-32-569 A local group that

TO_OPERATORS represents access to
cryptography operators.
DOMAIN_ALIAS_RID_CACH 0x0000023B S-1-5-32-571 A local group that

EABLE_PRINCIPALS_GROUP represents principals that
can be cached.
DOMAIN_ALIAS_RID_NON_ 0x0000023C S-1-5-32-572 A local group that

CACHEABLE_PRINCIPALS_G represents principals that
ROUP cannot be cached.
DOMAIN_ALIAS_RID_EVEN 0x0000023D S-1-5-32-573 A local group that

T_LOG_READERS_GROUP represents event log
readers.
DOMAIN_ALIAS_RID_CERTS 0x0000023E S-1-5-32-574 The local group of users

VC_DCOM_ACCESS_GROU who can connect to
P certification authorities
using Distributed
Component Object Model
(DCOM).
DOMAIN_ALIAS_RID_RDS_R 0x0000023F S-1-5-32-575 A local group that

EMOTE_ACCESS_SERVERS represents RDS remote
access servers.
DOMAIN_ALIAS_RID_RDS_E 0x00000240 S-1-5-32-576 A local group that

NDPOINT_SERVERS represents endpoint
servers.
DOMAIN_ALIAS_RID_RDS_ 0x00000241 S-1-5-32-577 A local group that

MANAGEMENT_SERVERS represents management
servers.
DOMAIN_ALIAS_RID_HYPE 0x00000242 S-1-5-32-578 A local group that

R_V_ADMINS represents hyper-v admins
DOMAIN_ALIAS_RID_ACCE 0x00000243 S-1-5-32-579 A local group that

SS_CONTROL_ASSISTANCE_ represents access control
OPS assistance OPS.
DOMAIN_ALIAS_RID_REMO 0x00000244 S-1-5-32-580 A local group that

TE_MANAGEMENT_USERS represents remote
management users.
DOMAIN_ALIAS_RID_DEFA 0x00000245 S-1-5-32-581 A local group that

ULT_ACCOUNT represents the default
account.
DOMAIN_ALIAS_RID_STOR 0x00000246 S-1-5-32-582 A local group that

AGE_REPLICA_ADMINS represents storage replica
admins.
DOMAIN_ALIAS_RID_DEVIC 0x00000247 S-1-5-32-583 A local group that

E_OWNERS represents can make
settings expected for Device
Owners.
The WELL_KNOWN_SID_TYPE enumeration defines the list of commonly used SIDs. Additionally, the Security
Descriptor Definition Language (SDDL) uses SID strings to reference well-known SIDs in a string format.
When a thread tries to access a securable object, the system either grants or denies access. If the object does not
have a discretionary access control list (DACL), the system grants access; otherwise, the system looks for Access
Control Entries (ACEs) in the object's DACL that apply to the thread. Each ACE in the object's DACL specifies the
access rights allowed or denied for a trustee, which can be a user account, a group account, or a logon session.
DACLs
The system compares the trustee in each ACE to the trustees identified in the thread's access token. An access
token contains security identifiers (SIDs) that identify the user and the group accounts to which the user
belongs. A token also contains a logon SID that identifies the current logon session. During an access check, the
system ignores group SIDs that are not enabled. For more information on enabled, disabled, and deny-only
SIDs, see SID Attributes in an Access Token.
Typically, the system uses the primary access token of the thread that is requesting access. However, if the thread
is impersonating another user, the system uses the thread's impersonation token.
The system examines each ACE in sequence until one of the following events occurs:
An access-denied ACE explicitly denies any of the requested access rights to one of the trustees listed in the
thread's access token.
One or more access-allowed ACEs for trustees listed in the thread's access token explicitly grant all the
requested access rights.
All ACEs have been checked and there is still at least one requested access right that has not been explicitly
allowed, in which case, access is implicitly denied.
The following illustration shows how an object's DACL can allow access to one thread while denying access to
another.
For Thread A, the system reads ACE 1 and immediately denies access because the access-denied ACE applies to
the user in the thread's access token. In this case, the system does not check ACEs 2 and 3. For Thread B, ACE 1
does not apply, so the system proceeds to ACE 2, which allows write access, and ACE 3 which allows read and
execute access.
Because the system stops checking ACEs when the requested access is explicitly granted or denied, the order of
ACEs in a DACL is important. Note that if the ACE order were different in the example, the system might have
granted access to Thread A. For system objects, the operating system defines a preferred order of ACEs in a
DACL.
When a thread attempts to use a securable object, the system performs an access check before allowing the
thread to proceed. In an access check, the system compares the security information in the thread's access token
against the security information in the object's security descriptor.
The access token contains security identifiers (SIDs) that identify the user associated with the thread.
The security descriptor identifies the object's owner and contains a discretionary access control list (DACL).
The DACL contains access control entries (ACEs), each of which specify the access rights allowed or denied to
a specific user or group.
The system checks the object's DACL, looking for ACEs that apply to the user and group SIDs from the thread's
access token. The system checks each ACE until access is either granted or denied or until there are no more
ACEs to check. Conceivably, an access control list (ACL) could have several ACEs that apply to the token's SIDs.
And, if this occurs, the access rights granted by each ACE accumulate. For example, if one ACE grants read access
to a group and another ACE grants write access to a user who is a member of the group, the user can have both
read and write access to the object.
The following illustration shows the relationship between these blocks of security information:
DACLs and ACEs
If a Windows object does not have a discretionary access control list (DACL), the system allows everyone full
access to it. If an object has a DACL, the system allows only the access that is explicitly allowed by the access
control entries (ACEs) in the DACL. If there are no ACEs in the DACL, the system does not allow access to anyone.
Similarly, if a DACL has ACEs that allow access to a limited set of users or groups, the system implicitly denies
access to all trustees not included in the ACEs.
In most cases, you can control access to an object by using access-allowed ACEs; you do not need to explicitly
deny access to an object. The exception is when an ACE allows access to a group and you want to deny access to
a member of the group. To do this, place an access-denied ACE for the user in the DACL ahead of the access-
allowed ACE for the group. Note that the order of the ACEs is important because the system reads the ACEs in
sequence until access is granted or denied. The user's access-denied ACE must appear first; otherwise, when the
system reads the group's access allowed ACE, it will grant access to the restricted user.
The following illustration shows a DACL that denies access to one user and grants access to two groups. The
members of Group A get Read, Write, and Execute access rights by accumulating the rights allowed to Group A
and rights allowed to Everyone. The exception is Andrew, who is denied access by the access-denied ACE in spite
of being a member of the Everyone Group.
Null DACLs and Empty DACLs (Authorization)
If the discretionary access control list (DACL) that belongs to an object's security descriptor is set to NULL , a null
DACL is created. A null DACL grants full access to any user that requests it; normal security checking is not
performed with respect to the object. A null DACL should not be confused with an empty DACL. An empty DACL
is a properly allocated and initialized DACL that contains no access control entries (ACEs). An empty DACL
grants no access to the object it is assigned to.
For an example of how to create a DACL, see Creating a DACL.
The default security policy restricts anonymous local access to having no rights. Administrators can then add or
subtract rights as they see fit.
A local access group exists for applications with the same access rights as Everyone. Administrators can then
appropriately increase or decrease the number of users in that group, named the Pre-Windows 2000-
Compatible Access Group .
For more information, see the reference pages for the functions listed in the table of the Local Group Functions
topic.
The security descriptor definition language (SDDL) defines the string format that the
Conver tSecurityDescriptorToStringSecurityDescriptor and
Conver tStringSecurityDescriptorToSecurityDescriptor functions use to describe a security descriptor as a
text string. The language also defines string elements for describing information in the components of a security
descriptor.
NOTE
Conditional access control entries (ACEs) have a different SDDL format than other ACE types. For ACEs, see ACE Strings.
For conditional ACEs, see Security Descriptor Definition Language for Conditional ACEs.
Related topics
Security Descriptor Definition Language for Conditional ACEs
ACE Strings
SID Strings
[MS-DTYP]: Security Descriptor Description Language
The Security Descriptor String Format is a text format for storing or transporting information in a security
descriptor. The Conver tSecurityDescriptorToStringSecurityDescriptor and
Conver tStringSecurityDescriptorToSecurityDescriptor functions use this format.
The format is a null -terminated string with tokens to indicate each of the four main components of a security
descriptor: owner (O:), primary group (G:), DACL (D:), and SACL (S:).
NOTE
Access control entries (ACEs) and conditional ACEs have differing formats. For ACEs, see ACE Strings. For conditional ACEs,
see Security Descriptor Definition Language for Conditional ACEs.
O:owner_sid
G:group_sid
D:dacl_flags(string_ace1)(string_ace2)... (string_acen)
S:sacl_flags(string_ace1)(string_ace2)... (string_acen)
owner_sid
A SID string that identifies the object's owner.
group_sid
A SID string that identifies the object's primary group.
dacl_flags
Security descriptor control flags that apply to the DACL. For a description of these control flags, see the
SetSecurityDescriptorControl function. The dacl_flags string can be a concatenation of zero or more of the
following strings.
C O N T RO L C O N STA N T IN SDDL . H M EA N IN G
"P" SDDL_PROTECTED The SE_DACL_PROTECTED flag is set.
"AR" SDDL_AUTO_INHERIT_REQ The SE_DACL_AUTO_INHERIT_REQ flag

is set.
"AI" SDDL_AUTO_INHERITED The SE_DACL_AUTO_INHERITED flag is

set.
"NO_ACCESS_CONTROL" SDDL_NULL_ACL The ACL is null. Windows Ser ver

2008, Windows Vista and
Windows Ser ver 2003: Not
available.
sacl_flags
Security descriptor control flags that apply to the SACL. The sacl_flags string uses the same control bit strings as
the dacl_flags string.
string_ace
A string that describes an ACE in the security descriptor's DACL or SACL. For a description of the ACE string
format, see ACE strings. Each ACE string is enclosed in parentheses (()).
Unneeded components can be omitted from the security descriptor string. For example, if the
SE_DACL_PRESENT flag is not set in the input security descriptor,
Conver tSecurityDescriptorToStringSecurityDescriptor does not include a D: component in the output
string. You can also use the SECURITY_INFORMATION bit flags to indicate the components to include in a
security descriptor string.
The security descriptor string format does not support NULL ACLs.
To denote an empty ACL, the security descriptor string includes the D: or S: token with no additional string
information.
The security descriptor string stores the SECURITY DESCRIPTOR CONTROL bits in different ways. The
SE_DACL_PRESENT or SE_SACL_PRESENT bits are indicated by the presence of the D: or S: token in the string.
Other bits that apply to the DACL or SACL are stored in dacl_flags and sacl_flags. The SE_OWNER_DEFAULTED,
SE_GROUP_DEFAULTED, SE_DACL_DEFAULTED, and SE_SACL_DEFAULTED bits are not stored in a security
descriptor string. The SE_SELF_RELATIVE bit is not stored in the string, but
Conver tStringSecurityDescriptorToSecurityDescriptor always sets this bit in the output security
descriptor.
The following examples show security descriptor strings and the information in the associated security
descriptors.
String 1:
"O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
Security Descriptor 1:
Revision: 0x00000001
Control: 0x0004
SE_DACL_PRESENT
Owner: (S-1-5-32-548)
PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512)
DACL
Revision: 0x02
Size: 0x001c
AceCount: 0x0001
Ace[00]
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0x00
Access Mask: 0x100e003f
READ_CONTROL
WRITE_DAC
WRITE_OWNER
GENERIC_ALL
Others(0x0000003f)
Ace Sid : (S-1-0-0)
SACL
Not present
String 2:
"O:DAG:DAD:(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)
(A;;RPWPCCDCLCRCWOWDSDSW;;;DA)
(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)
(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)
(OA;;CCDC;6da8a4ff-0e52-11d0-a286-00aa003049e2;;AO)
(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)
(A;;RPLCRC;;;AU)S:(AU;SAFA;WDWOSDWPCCDCSW;;;WD)"
Security Descriptor 2:
Revision: 0x00000001
Control: 0x0014
SE_DACL_PRESENT
SE_SACL_PRESENT
Owner: (S-1-5-21-397955417-626881126-188441444-512)
PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512)
DACL
Revision: 0x04
Size: 0x0104
AceCount: 0x0007
Ace[00]
AceSize: 0x0014
InheritFlags: 0x00
Access Mask: 0x000f003f
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Others(0x0000003f)
Ace Sid: (S-1-5-18)
Ace[01]
AceSize: 0x0024
InheritFlags: 0x00
Access Mask: 0x000f003f
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
WRITE_OWNER
Others(0x0000003f)
Ace Sid: (S-1-5-21-397955417-626881126-188441444-512)
Ace[02]
AceType: 0x05 (ACCESS_ALLOWED_OBJECT_ACE_TYPE)
AceSize: 0x002c
InheritFlags: 0x00
Access Mask: 0x00000003
Others(0x00000003)
Flags: 0x00000001, ACE_OBJECT_TYPE_PRESENT
ObjectType: GUID_C_USER
InhObjectType: GUID ptr is NULL
Ace Sid: (S-1-5-32-548)
Ace[03]
AceSize: 0x002c
InheritFlags: 0x00
Others(0x00000003)
ObjectType: GUID_C_GROUP
Ace Sid: (S-1-5-32-548)
Ace[04]
AceSize: 0x002c
InheritFlags: 0x00
Others(0x00000003)
ObjectType: GUID_C_LOCALGROUP
Ace Sid: (S-1-5-32-548)
Ace[05]
AceSize: 0x002c
InheritFlags: 0x00
Others(0x00000003)
ObjectType: GUID_C_PRINT_QUEUE
Ace Sid: (S-1-5-32-550)
Ace[06]
AceSize: 0x0014
InheritFlags: 0x00
READ_CONTROL
Others(0x00000014)
Ace Sid: (S-1-5-11)
SACL
Revision: 0x02
Size: 0x001c
AceCount: 0x0001
Ace[00]
AceType: 0x02 (SYSTEM_AUDIT_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0xc0
SUCCESSFUL_ACCESS_ACE_FLAG
FAILED_ACCESS_ACE_FLAG
Access Mask: 0x000d002b
DELETE
WRITE_DAC
WRITE_OWNER
Others(0x0000002b)
Ace Sid: (S-1-1-0)
Related topics
ACE Strings
Security Descriptor Definition Language for
Conditional ACEs
A conditional access control entry (ACE) allows an access condition to be evaluated when an access check is
performed. The security descriptor definition language (SDDL) provides syntax for defining conditional ACEs in a
string format.
The SDDL for a conditional ACE is the same as for any ACE, with the syntax for the conditional statement
appended to the end of the ACE string. For information about SDDL, see Security Descriptor Definition
Language.
The "#" sign is synonymous with "0" in resource attributes. For example, D:AI(XA;OICI;FA;;;WD;
(OctetStringType==#1#2#3##)) is equivalent to and interpreted as D:AI(XA;OICI;FA;;;WD;
(OctetStringType==#01020300)).
Conditional ACE String Format
Conditional Expressions
Attributes
Operators
Operator Precedence
Unknown Values
Conditional ACE Evaluation
Examples
Related topics
Conditional ACE String Format

Each ACE in a security descriptor string is enclosed in parentheses. The fields of the ACE are in the following
order and are separated by semicolons (;).
AceType**;AceFlags ;Rights ;ObjectGuid ;InheritObjectGuid ;AccountSid ;(ConditionalExpression )**
The fields are as described in ACE Strings, with the following exceptions.
The AceType field can be one of the following strings.
A C E T Y P E ST RIN G C O N STA N T IN SDDL . H A C ET Y P E VA L UE
"XA" SDDL_CALLBACK_ACCESS_ALLOWE ACCESS_ALLOWED_CALLBACK_ACE

D _TYPE
"XD" SDDL_CALLBACK_ACCESS_DENIED ACCESS_DENIED_CALLBACK_ACE_T

YPE
The ACE string includes one or more conditional expressions, enclosed in parentheses at the end of the
string.
Conditional Expressions
A conditional expression can include any of the following elements.
EXP RESSIO N EL EM EN T DESC RIP T IO N
AttributeName Tests whether the specified attribute has a nonzero value.
exists AttributeName Tests whether the specified attribute exists in the client
context.
AttributeName Operator Value Returns the result of the specified operation.
ConditionalExpression**||**ConditionalExpression Tests whether either of the specified conditional expressions

is true.
ConditionalExpression && ConditionalExpression Tests whether both of the specified conditional expressions
are true.
!( ConditionalExpression ) The inverse of a conditional expression.
Member_of{ SidArray } Tests whether the SID_AND_ATTRIBUTES array of the

client context contains all of the Security Identifiers (SIDs) in
the comma-separated list specified by SidArray.
For Allow ACEs, a client context SID must have the
SE_GROUP_ENABLED attribute set to be considered a
match.
For Deny ACEs, a client context SID must have either the
SE_GROUP_ENABLED or the
SE_GROUP_USE_FOR_DENY_ONLY attribute set to be
considered a match.
The SidArray array can contain either SID strings (for
example, "S-1-5-6") or SID aliases (for example, "BA"
Attributes
An attribute represents an element in the AUTHZ_SECURITY_ATTRIBUTES_INFORMATION array in the
client context. An attribute name can contain any alphanumeric characters and any of the characters ":", "/", ".",
and "_".
An attribute value can be any of the following types.
VA L UE T Y P E DESC RIP T IO N
Integer A 64-bit integer in either decimal or hexadecimal notation.
String A string value delimited by quotes.
SID SID(S-1-1-0) or SID(BA). Has to be on RHS of Member_of or

Device_Member_of.
BLOB # followed by hexadecimal numbers. If length of the

numbers is odd, then the # is translated to a 0 to make it
even. Also an # appearing elsewhere in the value is
translated to a 0.
Operators
The following operators are defined for use in conditional expressions to test the values of attributes. All of these
are binary operators and used in the form AttributeName Operator Value.
O P ERATO R DESC RIP T IO N
== Conventional definition.
!= Conventional definition.
< Conventional definition.
<= Conventional definition.
> Conventional definition.
>= Conventional definition.
Contains TRUE if the value of the specified attribute is a superset of

the specified value; otherwise, FALSE .
Any_of TRUE if the specified value is a superset of the value of the

specified attribute; otherwise, FALSE .
In addition, the unary operators Exists, Member_of, and negation (!) are defined as described in the Conditional
Expressions table.
The "Contains" operator must be preceded and followed by white space, and the "Any_of" operator must be
preceded by white space.
Operator Precedence
The operators are evaluated in the following order of precedence, with operations of equal precedence being
evaluated from left to right.
1. Exists, Member_of
2. Contains, Any_of
3. ==, !=, <, <=, >, >=
4. !
5. &&
6. ||
In addition, any portion of a conditional expression can be enclosed in parenthesis. Expressions within
parentheses are evaluated first.
Unknown Values
The results of conditional expressions sometimes return a value of Unknown . For example, any of the relational
operations return Unknown when the specified attribute does not exist.
The following table describes the results for a logical AND operation between two conditional expressions,
ConditionalExpression1 and ConditionalExpression2.
C O N DIT IO N A L EXP RESSIO N 1 & &
C O N DIT IO N A L EXP RESSIO N 1 C O N DIT IO N A L EXP RESSIO N 2 C O N DIT IO N A L EXP RESSIO N 2
TRUE TRUE TRUE
TRUE FALSE FALSE
TRUE UNKNOWN UNKNOWN
FALSE TRUE FALSE
FALSE FALSE FALSE
FALSE UNKNOWN FALSE
UNKNOWN TRUE UNKNOWN
UNKNOWN FALSE FALSE
UNKNOWN UNKNOWN UNKNOWN
The following table describes the results for a logical OR operation between two conditional expressions,
ConditionalExpression1 and ConditionalExpression2.
C O N DIT IO N A L EXP RESSIO N 1 ||

C O N DIT IO N A L EXP RESSIO N 1 C O N DIT IO N A L EXP RESSIO N 2 C O N DIT IO N A L EXP RESSIO N 2
TRUE TRUE TRUE
TRUE FALSE TRUE
TRUE UNKNOWN TRUE
FALSE TRUE TRUE
FALSE FALSE FALSE
FALSE UNKNOWN UNKNOWN
UNKNOWN TRUE TRUE
UNKNOWN FALSE UNKNOWN
UNKNOWN UNKNOWN UNKNOWN
The negation of a conditional expression with a value of UNKNOWN is also UNKNOWN .
Conditional ACE Evaluation

The following table describes the access check result of a conditional ACE depending on the final evaluation of
the conditional expression.
ACE TYPE T RUE FA L SE UN K N O W N
Allow Allow Ignore ACE Ignore ACE
Deny Deny Ignore ACE Deny
Examples
The following examples show how the specified access policies are represented by a conditional ACE defined by
using SDDL.
Policy
Allow Execute to Everyone if both of the following conditions are met:
Title = PM
Division = Finance or Division = Sales
SDDL
D:(XA; ;FX;;;S-1-1-0; (@User.Title=="PM" && (@User.Division=="Finance" || @User.Division ==" Sales")))
Policy
Allow execute if any of the user s projects intersect with the file s projects.
SDDL
D:(XA; ;FX;;;S-1-1-0; (@User.Project Any_of @Resource.Project))
Policy
Allow read access if the user has logged in with a smart card, is a backup operator, and is connecting from a
machine with Bitlocker enabled.
SDDL
D:(XA; ;FR;;;S-1-1-0; (Member_of {SID(Smartcard_SID), SID(BO)} && @Device.Bitlocker))
Related topics
ACE Strings
The security descriptor definition language (SDDL) uses ACE strings in the DACL and SACL components of a
security descriptor string.
As shown in the Security Descriptor String Format examples, each ACE in a security descriptor string is enclosed
in parentheses. The fields of the ACE are in the following order and are separated by semicolons (;).
NOTE
There is a different format for conditional access control entries (ACEs) than other ACE types. For conditional ACEs, see
Security Descriptor Definition Language for Conditional ACEs.
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;(resource_attribute)
Fields
ace_type
A string that indicates the value of the AceType member of the ACE_HEADER structure. The ACE type string
can be one of the following strings defined in Sddl.h.
"A" SDDL_ACCESS_ALLOWED ACCESS_ALLOWED_ACE_TYPE
"D" SDDL_ACCESS_DENIED ACCESS_DENIED_ACE_TYPE
"OA" SDDL_OBJECT_ACCESS_ALLOWED ACCESS_ALLOWED_OBJECT_ACE_TYPE
"OD" SDDL_OBJECT_ACCESS_DENIED ACCESS_DENIED_OBJECT_ACE_TYPE
"AU" SDDL_AUDIT SYSTEM_AUDIT_ACE_TYPE
"AL" SDDL_ALARM SYSTEM_ALARM_ACE_TYPE
"OU" SDDL_OBJECT_AUDIT SYSTEM_AUDIT_OBJECT_ACE_TYPE
"OL" SDDL_OBJECT_ALARM SYSTEM_ALARM_OBJECT_ACE_TYPE
"ML" SDDL_MANDATORY_LABEL SYSTEM_MANDATORY_LABEL_ACE_TY

PE Windows Ser ver 2003: Not
available.
"XA" SDDL_CALLBACK_ACCESS_ALLOWED ACCESS_ALLOWED_CALLBACK_ACE_T

YPE Windows Ser ver 2008,
Windows Vista and Windows
Ser ver 2003: Not available.
"XD" SDDL_CALLBACK_ACCESS_DENIED ACCESS_DENIED_CALLBACK_ACE_TYP

E Windows Ser ver 2008, Windows
Vista and Windows Ser ver 2003:
Not available.
"RA" SDDL_RESOURCE_ATTRIBUTE SYSTEM_RESOURCE_ATTRIBUTE_ACE_T

YPE Windows Ser ver 2008 R2,
Windows 7, Windows Ser ver
available.
"SP" SDDL_SCOPED_POLICY_ID SYSTEM_SCOPED_POLICY_ID_ACE_TY

PE Windows Ser ver 2008 R2,
available.
"XU" SDDL_CALLBACK_AUDIT SYSTEM_AUDIT_CALLBACK_ACE_TYPE

Windows Ser ver 2008 R2,
available.
"ZA" SDDL_CALLBACK_OBJECT_ACCESS_AL ACCESS_ALLOWED_CALLBACK_ACE_T

LOWED YPE Windows Ser ver 2008 R2,
available.
"TL" SDDL_PROCESS_TRUST_LABEL SYSTEM_PROCESS_TRUST_LABEL_ACE_

TYPE Windows Ser ver 2012,
2008 R2, Windows 7, Windows
Ser ver 2008, Windows Vista and
available.
"FL" SDDL_ACCESS_FILTER SYSTEM_ACCESS_FILTER_ACE_TYPE

Windows Ser ver 2016, Windows
10 Version 1607, Windows 10
Version 1511, Windows 10
Version 1507, Windows Ser ver
2012 R2, Windows 8.1, Windows
Ser ver 2012, Windows 8,
available.
NOTE
If ace_type is ACCESS_ALLOWED_OBJECT_ACE_TYPE and neither object_guid nor inherit_object_guid has a GUID
specified, then Conver tStringSecurityDescriptorToSecurityDescriptor converts ace_type to
ACCESS_ALLOWED_ACE_TYPE.
ace_flags
A string that indicates the value of the AceFlags member of the ACE_HEADER structure. The ACE flags string
can be a concatenation of the following strings defined in Sddl.h.
A C E F L A GS ST RIN G C O N STA N T IN SDDL . H A C EF L A G VA L UE
"CI" SDDL_CONTAINER_INHERIT CONTAINER_INHERIT_ACE
"OI" SDDL_OBJECT_INHERIT OBJECT_INHERIT_ACE
"NP" SDDL_NO_PROPAGATE NO_PROPAGATE_INHERIT_ACE
"IO" SDDL_INHERIT_ONLY INHERIT_ONLY_ACE
"ID" SDDL_INHERITED INHERITED_ACE
"SA" SDDL_AUDIT_SUCCESS SUCCESSFUL_ACCESS_ACE_FLAG
"FA" SDDL_AUDIT_FAILURE FAILED_ACCESS_ACE_FLAG
"TP" SDDL_TRUST_PROTECTED_FILTER TRUST_PROTECTED_FILTER_ACE_FLAG

10 Version 1607, Windows 10
2012 R2, Windows 8.1, Windows
Ser ver 2012, Windows 8,
available.
"CR" SDDL_CRITICAL CRITICAL_ACE_FLAG Windows

Ser ver Version 1803, Windows 10
2016, Windows 10 Version 1607,
Windows 10 Version 1511,
Windows 10 Version 1507,
Windows 8.1, Windows Ser ver
2012, Windows 8, Windows
Ser ver 2008 R2, Windows 7,
Not available.
rights
A string that indicates the access rights controlled by the ACE. This string can be a hexadecimal string
representation of the access rights, such as "0x7800003F", or it can be a concatenation of the following strings.
Generic access rights
A C C ESS RIGH T S ST RIN G C O N STA N T IN SDDL . H A C C ESS RIGH T VA L UE
"GA" SDDL_GENERIC_ALL GENERIC_ALL
"GR" SDDL_GENERIC_READ GENERIC_READ
"GW" SDDL_GENERIC_WRITE GENERIC_WRITE
"GX" SDDL_GENERIC_EXECUTE GENERIC_EXECUTE
Standard access rights

"RC" SDDL_READ_CONTROL READ_CONTROL
"SD" SDDL_STANDARD_DELETE DELETE
"WD" SDDL_WRITE_DAC WRITE_DAC
"WO" SDDL_WRITE_OWNER WRITE_OWNER
Directory service object access rights

"RP" SDDL_READ_PROPERTY ADS_RIGHT_DS_READ_PROP
"WP" SDDL_WRITE_PROPERTY ADS_RIGHT_DS_WRITE_PROP
"CC" SDDL_CREATE_CHILD ADS_RIGHT_DS_CREATE_CHILD
"DC" SDDL_DELETE_CHILD ADS_RIGHT_DS_DELETE_CHILD
"LC" SDDL_LIST_CHILDREN ADS_RIGHT_ACTRL_DS_LIST
"SW" SDDL_SELF_WRITE ADS_RIGHT_DS_SELF
"LO" SDDL_LIST_OBJECT ADS_RIGHT_DS_LIST_OBJECT
"DT" SDDL_DELETE_TREE ADS_RIGHT_DS_DELETE_TREE
"CR" SDDL_CONTROL_ACCESS ADS_RIGHT_DS_CONTROL_ACCESS
File access rights

"FA" SDDL_FILE_ALL FILE_ALL_ACCESS

"FR" SDDL_FILE_READ FILE_GENERIC_READ
"FW" SDDL_FILE_WRITE FILE_GENERIC_WRITE
"FX" SDDL_FILE_EXECUTE FILE_GENERIC_EXECUTE
Registry key access rights

"KA" SDDL_KEY_ALL KEY_ALL_ACCESS
"KR" SDDL_KEY_READ KEY_READ
"KW" SDDL_KEY_WRITE KEY_WRITE
"KX" SDDL_KEY_EXECUTE KEY_EXECUTE
Mandatory label rights

"NR" SDDL_NO_READ_UP SYSTEM_MANDATORY_LABEL_NO_RE

AD_UP Windows Ser ver 2008,
"NW" SDDL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_WR

ITE_UP Windows Ser ver 2008,
"NX" SDDL_NO_EXECUTE_UP SYSTEM_MANDATORY_LABEL_NO_EXE

CUTE_UP Windows Ser ver 2008,
object_guid
A string representation of a GUID that indicates the value of the ObjectType member of an object-specific ACE
structure, such as ACCESS_ALLOWED_OBJECT_ACE . The GUID string uses the format returned by the
UuidToString function.
The following table lists some commonly used object GUIDs.
RIGH T S A N D GUID P ERM ISSIO N
CR;ab721a53-1e2f-11d0-9819-00aa0040529b Change password
CR;00299570-246d-11d0-a768-00aa006e0529 Reset password
inherit_object_guid
A string representation of a GUID that indicates the value of the InheritedObjectType member of an object-
specific ACE structure. The GUID string uses the UuidToString format.
account_sid
SID string that identifies the trustee of the ACE.
resource_attribute
[OPTIONAL] The resource_attribute is only for resource ACEs and is optional. A string that indicates the data
type. The resource attribute ace data type can be one of the following data types defined in Sddl.h.
The "#" sign is synonymous with "0" in resource attributes. For example, D:AI(XA;OICI;FA;;;WD;
(OctetStringType==#1#2#3##)) is equivalent to and interpreted as D:AI(XA;OICI;FA;;;WD;
(OctetStringType==#01020300)).
Windows Ser ver 2008 R2, Windows 7, Windows Ser ver 2008, Windows Vista and Windows Ser ver
2003: Resource attributes are not available.
RESO URC E AT T RIB UT E A C E DATA T Y P E

ST RIN G C O N STA N T IN SDDL . H DATA T Y P E
"TI" SDDL_INT Signed integer
"TU" SDDL_UINT Unsigned integer
"TS" SDDL_WSTRING Wide string
"TD" SDDL_SID SID
"TX" SDDL_BLOB Octet string
"TB" SDDL_BOOLEAN Boolean
The following example shows an ACE string for an access-allowed ACE. It is not an object-specific ACE, so it has
no information in the object_guid and inherit_object_guid fields. The ace_flags field is also empty, which
indicates that none of the ACE flags are set.
(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-1-0)
The ACE string shown above describes the following ACE information.

AceFlags: 0x00
Access Mask: 0x100e003f
READ_CONTROL
WRITE_DAC
WRITE_OWNER
GENERIC_ALL
Other access rights(0x0000003f)
Ace Sid : (S-1-1-0)
The following example shows a file classified with resource claims for Windows and Structured Query Language
(SQL) with Secrecy set to High Business Impact.
(RA;CI;;;;S-1-1-0; ("Project",TS,0,"Windows","SQL"))
(RA;CI;;;;S-1-1-0; ("Secrecy",TU,0,3))
The ACE string shown above describes the following ACE information.
AceType: 0x12 (SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE)

AceFlags: 0x1 (SDDL_CONTAINER_INHERIT)
Access Mask: 0x0
Ace Sid : (S-1-1-0)
Resource Attributes: Project has the strings Windows and SQL, Secrecy has the unsigned int value of 3
For more information, see Security Descriptor String Format and SID Strings. For conditional ACEs, see Security
Descriptor Definition Language for Conditional ACEs.
Related topics
SID Strings
In the security descriptor definition language (SDDL), security descriptor string use SID strings for the following
components of a security descriptor:
Owner
Primary group
The trustee in an ACE
A SID string in a security descriptor string can use either the standard string representation of a SID (S-R -I-S -S )
or one of the string constants defined in Sddl.h. For more information about the standard SID string notation,
see SID Components.
The following SID string constants for well-known SIDs are defined in Sddl.h. For information about the
corresponding relative IDs (RIDs), see Well-known SIDs.
A C C O UN T A L IA S A N D
SDDL SID ST RIN G C O N STA N T IN SDDL . H C O RRESP O N DIN G RID
"AA" SDDL_ACCESS_CONTROL_ASSISTANCE Access control assistance operators.

_OPS The corresponding RID is
DOMAIN_ALIAS_RID_ACCESS_CONTR
OL_ASSISTANCE_OPS. Windows
Not available.
"AC" SDDL_ALL_APP_PACKAGES All applications running in an app

package context. The corresponding
RID is
SECURITY_BUILTIN_PACKAGE_ANY_PA
CKAGE. Windows Ser ver 2008 R2,
available.
"AN" SDDL_ANONYMOUS Anonymous logon. The corresponding

RID is
SECURITY_ANONYMOUS_LOGON_RID.
"AO" SDDL_ACCOUNT_OPERATORS Account operators. The corresponding

RID is
DOMAIN_ALIAS_RID_ACCOUNT_OPS.
"AP" SDDL_PROTECTED_USERS Protected Users. The corresponding

RID is
DOMAIN_GROUP_RID_PROTECTED_U
SERS. Windows Ser ver 2012,
available.
"AU" SDDL_AUTHENTICATED_USERS Authenticated users. The

corresponding RID is
SECURITY_AUTHENTICATED_USER_RID.
"BA" SDDL_BUILTIN_ADMINISTRATORS Built-in administrators. The

DOMAIN_ALIAS_RID_ADMINS.
"BG" SDDL_BUILTIN_GUESTS Built-in guests. The corresponding RID

is DOMAIN_ALIAS_RID_GUESTS.
"BO" SDDL_BACKUP_OPERATORS Backup operators. The corresponding

RID is
DOMAIN_ALIAS_RID_BACKUP_OPS.
"BU" SDDL_BUILTIN_USERS Built-in users. The corresponding RID is

DOMAIN_ALIAS_RID_USERS.
"CA" SDDL_CERT_SERV_ADMINISTRATORS Certificate publishers. The

DOMAIN_GROUP_RID_CERT_ADMINS.
"CD" SDDL_CERTSVC_DCOM_ACCESS Users who can connect to certification

authorities using Distributed
Component Object Model (DCOM).
The corresponding RID is
DOMAIN_ALIAS_RID_CERTSVC_DCOM
_ACCESS_GROUP. Windows Ser ver
available.
"CG" SDDL_CREATOR_GROUP Creator group. The corresponding RID

is SECURITY_CREATOR_GROUP_RID.
"CN" SDDL_CLONEABLE_CONTROLLERS Cloneable domain controllers. The

DOMAIN_GROUP_RID_CLONEABLE_C
ONTROLLERS. Windows Ser ver
available.
"CO" SDDL_CREATOR_OWNER Creator owner. The corresponding RID

is SECURITY_CREATOR_OWNER_RID.
"CY" SDDL_CRYPTO_OPERATORS Crypto operators. The corresponding

RID is
DOMAIN_ALIAS_RID_CRYPTO_OPERAT
ORS. Windows Server 2003:* Not
available.
"DA" SDDL_DOMAIN_ADMINISTRATORS Domain administrators. The

DOMAIN_GROUP_RID_ADMINS.
"DC" SDDL_DOMAIN_COMPUTERS Domain computers. The corresponding

RID is
DOMAIN_GROUP_RID_COMPUTERS.
"DD" SDDL_DOMAIN_DOMAIN_CONTROLL Domain controllers. The corresponding

ERS RID is
DOMAIN_GROUP_RID_CONTROLLERS.
"DG" SDDL_DOMAIN_GUESTS Domain guests. The corresponding RID

is DOMAIN_GROUP_RID_GUESTS.
"DU" SDDL_DOMAIN_USERS Domain users. The corresponding RID

is DOMAIN_GROUP_RID_USERS.
"EA" SDDL_ENTERPRISE_ADMINS Enterprise administrators. The

DOMAIN_GROUP_RID_ENTERPRISE_A
DMINS.
"ED" SDDL_ENTERPRISE_DOMAIN_CONTRO Enterprise domain controllers. The

LLERS corresponding RID is
SECURITY_SERVER_LOGON_RID.
"EK" SDDL_ENTERPRISE_KEY_ADMINS Enterprise key admins. The

DOMAIN_GROUP_RID_ENTERPRISE_KE
Y_ADMINS. Windows Ser ver 2012
R2, Windows 8.1, Windows Ser ver
Not available.
"ER" SDDL_EVENT_LOG_READERS Event log readers. The corresponding

RID is
DOMAIN_ALIAS_RID_EVENT_LOG_REA
DERS_GROUP. Windows Ser ver
available.
"ES" SDDL_RDS_ENDPOINT_SERVERS Endpoint servers. The corresponding

RID is
DOMAIN_ALIAS_RID_RDS_ENDPOINT_
SERVERS. Windows Ser ver 2008
R2, Windows 7, Windows Ser ver
available.
"HA" SDDL_HYPER_V_ADMINS Hyper-V administrators. The

DOMAIN_ALIAS_RID_HYPER_V_ADMI
NS. Windows Ser ver 2008 R2,
available.
"HI" SDDL_ML_HIGH High integrity level. The corresponding

RID is
SECURITY_MANDATORY_HIGH_RID.
available.
"IS" SDDL_IIS_USERS Anonymous Internet users. The

DOMAIN_ALIAS_RID_IUSERS.
available.
"IU" SDDL_INTERACTIVE Interactively logged-on user. This is a

group identifier added to the token of
a process when it was logged on
interactively. The corresponding logon
type is
LOGON32_LOGON_INTERACTIVE. The
SECURITY_INTERACTIVE_RID.
"KA" SDDL_KEY_ADMINS Domain key admins. The

DOMAIN_GROUP_RID_KEY_ADMINS.
Windows 8.1, Windows Ser ver
Not available.
"LA" SDDL_LOCAL_ADMIN Local administrator. The corresponding

RID is DOMAIN_USER_RID_ADMIN.
"LG" SDDL_LOCAL_GUEST Local guest. The corresponding RID is

DOMAIN_USER_RID_GUEST.
"LS" SDDL_LOCAL_SERVICE Local service account. The

SECURITY_LOCAL_SERVICE_RID.
"LU" SDDL_PERFLOG_USERS Performance Log users. The

DOMAIN_ALIAS_RID_LOGGING_USERS
.
"LW" SDDL_ML_LOW Low integrity level. The corresponding

RID is
SECURITY_MANDATORY_LOW_RID.
available.
"ME" SDDL_ML_MEDIUM Medium integrity level. The

SECURITY_MANDATORY_MEDIUM_RI
D. Windows Ser ver 2003: Not
available.
"MP" SDDL_ML_MEDIUM_PLUS Medium Plus integrity level. The

SECURITY_MANDATORY_MEDIUM_PL
US_RID. Windows Ser ver 2008,
"MU" SDDL_PERFMON_USERS Performance Monitor users. The

DOMAIN_ALIAS_RID_MONITORING_U
SERS.
"NO" SDDL_NETWORK_CONFIGURATION_O Network configuration operators. The

PS corresponding RID is
DOMAIN_ALIAS_RID_NETWORK_CON
FIGURATION_OPS.
"NS" SDDL_NETWORK_SERVICE Network service account. The

SECURITY_NETWORK_SERVICE_RID.
"NU" SDDL_NETWORK Network logon user. This is a group

identifier added to the token of a
process when it was logged on across
a network. The corresponding logon
type is LOGON32_LOGON_NETWORK.
The corresponding RID is
SECURITY_NETWORK_RID.
"OW" SDDL_OWNER_RIGHTS Owner Rights SID. The corresponding

RID is
SECURITY_CREATOR_OWNER_RIGHTS_
RID. Windows Server 2003:* Not
available.
"PA" SDDL_GROUP_POLICY_ADMINS Group Policy administrators. The

DOMAIN_GROUP_RID_POLICY_ADMI
NS.
"PO" SDDL_PRINTER_OPERATORS Printer operators. The corresponding

RID is
DOMAIN_ALIAS_RID_PRINT_OPS.
"PS" SDDL_PERSONAL_SELF Principal self. The corresponding RID is

SECURITY_PRINCIPAL_SELF_RID.
"PU" SDDL_POWER_USERS Power users. The corresponding RID is

DOMAIN_ALIAS_RID_POWER_USERS.
"RA" SDDL_RDS_REMOTE_ACCESS_SERVERS RDS remote access servers. The

DOMAIN_ALIAS_RID_RDS_REMOTE_A
CCESS_SERVERS. Windows Ser ver
available.
"RC" SDDL_RESTRICTED_CODE Restricted code. This is a restricted

token created using the
CreateRestrictedToken function. The
SECURITY_RESTRICTED_CODE_RID.
"RD" SDDL_REMOTE_DESKTOP Terminal server users. The

DOMAIN_ALIAS_RID_REMOTE_DESKT
OP_USERS.
"RE" SDDL_REPLICATOR Replicator. The corresponding RID is

DOMAIN_ALIAS_RID_REPLICATOR.
"RM" SDDL_RMS__SERVICE_OPERATORS RMS Service. Available only in

Windows Vista .
"RO" SDDL_ENTERPRISE_RO_DCs Enterprise Read-only domain

controllers. The corresponding RID is
DOMAIN_GROUP_RID_ENTERPRISE_RE
ADONLY_DOMAIN_CONTROLLERS.
Not available.
"RS" SDDL_RAS_SERVERS RAS servers group. The corresponding

RID is
DOMAIN_ALIAS_RID_RAS_SERVERS.
"RU" SDDL_ALIAS_PREW2KCOMPACC Alias to grant permissions to accounts

that use applications compatible with
operating systems previous to
Windows 2000. The corresponding RID
is
DOMAIN_ALIAS_RID_PREW2KCOMPA
CCESS.
"SA" SDDL_SCHEMA_ADMINISTRATORS Schema administrators. The

DOMAIN_GROUP_RID_SCHEMA_ADM
INS.
"SI" SDDL_ML_SYSTEM System integrity level. The

SECURITY_MANDATORY_SYSTEM_RID.
available.
"SO" SDDL_SERVER_OPERATORS Server operators. The corresponding

RID is
DOMAIN_ALIAS_RID_SYSTEM_OPS.
"SS" SDDL_SERVICE_ASSERTED Authentication service asserted. The

SECURITY_AUTHENTICATION_SERVICE
_ASSERTED_RID. Windows Ser ver
available.
"SU" SDDL_SERVICE Service logon user. This is a group

identifier added to the token of a
process when it was logged as a
service. The corresponding logon type
is LOGON32_LOGON_SERVICE. The
SECURITY_SERVICE_RID.
"SY" SDDL_LOCAL_SYSTEM Local system. The corresponding RID is

SECURITY_LOCAL_SYSTEM_RID.
"UD" SDDL_USER_MODE_DRIVERS User-mode driver. The corresponding

RID is
SECURITY_USERMODEDRIVERHOST_I
D_BASE_RID. Windows Ser ver 2008
R2, Windows 7, Windows Ser ver
available.
"WD" SDDL_EVERYONE Everyone. The corresponding RID is

SECURITY_WORLD_RID.
"WR" SDDL_WRITE_RESTRICTED_CODE Write Restricted code. The

SECURITY_WRITE_RESTRICTED_CODE_
RID. Windows Server 2003:* Not
available.
The Conver tSidToStringSid and Conver tStringSidToSid functions always use the standard SID string
notation and do not support SDDL SID string constants.
For more information about well-known SIDs, see Well-known SIDs.
Related topics
Privileges
A privilege is the right of an account, such as a user or group account, to perform various system-related
operations on the local computer, such as shutting down the system, loading device drivers, or changing the
system time. Privileges differ from access rights in two ways:
Privileges control access to system resources and system-related tasks, whereas access rights control access
to securable objects.
A system administrator assigns privileges to user and group accounts, whereas the system grants or denies
access to a securable object based on the access rights granted in the ACEs in the object's DACL.
Each system has an account database that stores the privileges held by user and group accounts. When a user
logs on, the system produces an access token that contains a list of the user's privileges, including those granted
to the user or to groups to which the user belongs. Note that the privileges apply only to the local computer; a
domain account can have different privileges on different computers.
When the user tries to perform a privileged operation, the system checks the user's access token to determine
whether the user holds the necessary privileges, and if so, it checks whether the privileges are enabled. If the
user fails these tests, the system does not perform the operation.
To determine the privileges held in an access token, call the GetTokenInformation function, which also
indicates which privileges are enabled. Most privileges are disabled by default.
The Windows API defines a set of string constants, such as SE_ASSIGNPRIMARYTOKEN_NAME, to identify the
various privileges. These constants are the same on all systems and are defined in Winnt.h. For a table of the
privileges defined by Windows, see Privilege Constants. However, the functions that get and adjust the privileges
in an access token use the LUID type to identify privileges. The LUID values for a privilege can differ from one
computer to another, and from one boot to another on the same computer. To get the current LUID that
corresponds to one of the string constants, use the LookupPrivilegeValue function. Use the
LookupPrivilegeName function to convert a LUID to its corresponding string constant.
The system provides a set of display names that describe each of the privileges. These are useful when you need
to display a description of a privilege to the user. Use the LookupPrivilegeDisplayName function to retrieve a
description string that corresponds to the string constant for a privilege. For example, on systems that use U.S.
English, the display name for the SE_SYSTEMTIME_NAME privilege is "Change the system time".
You can use the PrivilegeCheck function to determine whether an access token holds a specified set of
privileges. This is useful primarily to server applications that are impersonating a client.
A system administrator can use administrative tools, such as User Manager, to add or remove privileges for user
and group accounts. Administrators can programmatically use the Local Security Authority (LSA) functions to
work with privileges. The LsaAddAccountRights and LsaRemoveAccountRights functions add or remove
privileges from an account. The LsaEnumerateAccountRights function enumerates the privileges held by a
specified account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a
specified privilege.
Related topics
Authorization Constants
Audit Generation
C2-level security requirements specify that system administrators must be able to audit security-related events
and that access to this audit data must be limited to authorized administrators. The Windows API provides
functions enabling an administrator to monitor security-related events.
The security descriptor for a securable object can have a system access control list (SACL). A SACL contains
access control entries (ACEs) that specify the types of access attempts that generate audit reports. Each ACE
identifies a trustee, a set of access rights, and a set of flags that indicate whether the system generates audit
messages for failed access attempts, successful access attempts, or both.
The system writes audit messages to the security event log. For information about accessing the records in a
security event log, see Event Logging.
To read or write an object's SACL, a thread must first enable the SE_SECURITY_NAME privilege. For more
information, see SACL Access Right.
The Windows API also provides support for server applications to generate audit messages when a client tries
to access a private object. For more information, see Auditing Access To Private Objects.
Securable Objects
A securable object is an object that can have a security descriptor. All named Windows objects are securable.
Some unnamed objects, such as process and thread objects, can have security descriptors too. For most
securable objects, you can specify an object's security descriptor in the function call that creates the object. For
example, you can specify a security descriptor in the CreateFile and CreateProcess functions.
In addition, the Windows security functions enable you to get and set the security information for securable
objects created on operating systems other than Windows. The Windows security functions also provide
support for using security descriptors with private, application-defined objects. For more information about
private securable objects, see Client/Server Access Control.
Each type of securable object defines its own set of specific access rights and its own mapping of generic access
rights. For information about the specific and generic access rights for each type of securable object, see the
overview for that type of object.
The following table shows the functions to use to manipulate the security information for some common
securable objects.
Files or directories on an NTFS file system GetNamedSecurityInfo , SetNamedSecurityInfo ,

Named pipes GetSecurityInfo , SetSecurityInfo

Anonymous pipes
Processes GetSecurityInfo , SetSecurityInfo

Threads
File-mapping objects GetNamedSecurityInfo , SetNamedSecurityInfo ,

Access tokens SetKernelObjectSecurity , GetKernelObjectSecurity
Window-management objects (window stations and GetSecurityInfo , SetSecurityInfo

desktops)
Registry keys GetNamedSecurityInfo , SetNamedSecurityInfo ,

Windows services GetNamedSecurityInfo , SetNamedSecurityInfo ,

Local or remote printers GetNamedSecurityInfo , SetNamedSecurityInfo ,

Network shares GetNamedSecurityInfo , SetNamedSecurityInfo ,

Interprocess synchronization objects (events, mutexes, GetNamedSecurityInfo , SetNamedSecurityInfo ,

semaphores, and waitable timers) GetSecurityInfo , SetSecurityInfo
Job objects GetNamedSecurityInfo , SetNamedSecurityInfo ,

Directory service objects These objects are handled by Active Directory Objects. For
more information, see Active Directory Service Interfaces.
Low-level security functions help you work with security descriptors, access control lists (ACLs), and access
control entries (ACEs).
For a description of the model, see Access Control Model.
Low-level Security Descriptor Functions Functions for setting and retrieving an object's security
descriptor.
Low-level Security Descriptor Creation Functions for creating a security descriptor and getting and
setting the components of a security descriptor.
Absolute and Self-Relative Security Descriptors Functions for checking or converting between absolute or
self-relative format.
Low-level ACL and ACE Functions Functions for managing ACLs and ACEs.
Low-level Security Descriptor Functions
There are several pairs of low-level functions for setting and retrieving an object's security descriptor. Each of
these pairs works only with a limited set of Windows objects. For example, one pair works with file objects and
another works with registry keys. The following table shows the low-level functions to use with the different
types of securable objects.
O B JEC T T Y P E LO W - L EVEL F UN C T IO N S
Files Use the GetFileSecurity and SetFileSecurity functions.

Directories These functions use character strings to identify the
Mailslots securable object, instead of using handles.
Named pipes
Processes Use the GetKernelObjectSecurity and

Threads SetKernelObjectSecurity functions.
Access tokens
File-mapping objects
Semaphores
Events
Mutexes
Waitable timers
Window stations Use the GetUserObjectSecurity and

Desktops SetUserObjectSecurity functions.
Registry keys Use the RegGetKeySecurity and RegSetKeySecurity

functions.
Windows service objects Use the Quer ySer viceObjectSecurity and

SetSer viceObjectSecurity functions.
Printer objects Use the PRINTER_INFO_2 structure with the GetPrinter

and SetPrinter functions.
Network shares Use level 502 with the NetShareGetInfo and

NetShareSetInfo functions.
Private objects (objects private to the creating Use the CreatePrivateObjectSecurity ,

application) DestroyPrivateObjectSecurity ,
GetPrivateObjectSecurity and
SetPrivateObjectSecurity functions.
Low-level Security Descriptor Creation
Low-level access control provides a set of functions for creating a security descriptor and getting and setting the
components of a security descriptor. The low-level functions for initializing and setting the components of a
security descriptor work only with absolute-format security descriptors. The low-level functions for getting the
components of a security descriptor work with both absolute and self-relative security descriptors.
The InitializeSecurityDescriptor function initializes a SECURITY_DESCRIPTOR buffer. The initialized
security descriptor is in absolute format and has no owner, primary group, discretionary access control list
(DACL), or system access control list (SACL). You can use the following low-level functions to get or set specific
components of a specified security descriptor.
GetSecurityDescriptorControl Retrieves revision and control information from a security

descriptor.
GetSecurityDescriptorDacl Retrieves the DACL from a security descriptor.
GetSecurityDescriptorGroup Retrieves the primary group security identifier (SID) from a

security descriptor.
GetSecurityDescriptorLength Returns the length of a security descriptor.
GetSecurityDescriptorOwner Retrieves the owner SID from a security descriptor.
GetSecurityDescriptorSacl Retrieves the SACL from a security descriptor.
SetSecurityDescriptorDacl Puts a DACL into a security descriptor, superseding any

existing DACL.
SetSecurityDescriptorGroup Sets the primary group SID of a security descriptor.
SetSecurityDescriptorOwner Sets the owner SID of a security descriptor.
SetSecurityDescriptorSacl Puts a SACL into a security descriptor, superseding any

existing SACL.
To check the revision level and structural integrity of a security descriptor, call the IsValidSecurityDescriptor
function.
Absolute and Self-Relative Security Descriptors
A security descriptor can be in either absolute or self-relative format. In absolute format, a security descriptor
contains pointers to its information, not the information itself. In self-relative format, a security descriptor stores
a SECURITY_DESCRIPTOR structure and associated security information in a contiguous block of memory. To
determine whether a security descriptor is self-relative or absolute, call the GetSecurityDescriptorControl
function and check the SE_SELF_RELATIVE flag of the SECURITY_DESCRIPTOR_CONTROL parameter. You can
use the MakeSelfRelativeSD and MakeAbsoluteSD functions for converting between these two formats.
The absolute format is useful when you are building a security descriptor and have pointers to all of the
components, for example, when default settings for the owner, group, and discretionary ACL are available. In this
case, you can call the InitializeSecurityDescriptor function to initialize a SECURITY_DESCRIPTOR structure,
and then call functions such as SetSecurityDescriptorDacl to assign ACL and SID pointers to the security
descriptor.
In self-relative format, a security descriptor always begins with a SECURITY_DESCRIPTOR structure, but the
other components of the security descriptor can follow the structure in any order. Instead of using memory
addresses, the security descriptor's components are identified by offsets from the beginning of the descriptor.
This format is useful when a security descriptor must be stored on disk, transmitted by means of a
communications protocol, or copied in memory.
Except for MakeAbsoluteSD , all functions that return a security descriptor do so using the self-relative format.
Security descriptors passed as arguments to a function can be either self-relative or absolute form. For more
information, refer to the documentation for the function.
Low-level ACL and ACE Functions
To create an access control list (ACL) by using the low-level functions, allocate a buffer for the ACL and then
initialize it by calling the InitializeAcl function. To add access control entries (ACEs) to the end of a discretionary
access control list (DACL), use the AddAccessAllowedAce and AddAccessDeniedAce functions. The
AddAuditAccessAce function adds an ACE to the end of a system access control list (SACL). You can use the
AddAce function to add one or more ACEs at a specified position in an ACL. The AddAce function also allows
you to add an inheritable ACE to an ACL. The DeleteAce function removes an ACE from a specified position in
an ACL. The GetAce function retrieves an ACE from a specified position in an ACL. The FindFirstFreeAce
function retrieves a pointer to the first free byte in an ACL.
To modify an existing ACL in an object's security descriptor, use the GetSecurityDescriptorDacl or
GetSecurityDescriptorSacl function to get the existing ACL. You can use the GetAce function to copy ACEs
from the existing ACL. After allocating and initializing a new ACL, use functions such as AddAccessAllowedAce
and AddAce to add ACEs to it. When you have finished building the new ACL, use the
SetSecurityDescriptorDacl or SetSecurityDescriptorSacl function to add the new ACL to the object's
security descriptor.
You can use the AddAccessAllowedObjectAce , AddAccessDeniedObjectAce , or
AddAuditAccessObjectAce functions to add object-specific ACEs to the end of an ACL.
Access Control Editor
The access control editor is a set of property sheets and property pages that enable the user to view and modify
the components of an object's security descriptor. The editor consists of two main parts:
A basic security property page that provides a simple interface for editing the access control entries (ACEs) in
an object's discretionary access control list (DACL). This page can include an optional Advanced button that
displays the advanced security property sheet.
An advanced security property sheet with property pages that enable the user to edit the object's system
access control list (SACL), change the object's owner, or perform advanced editing of the object's DACL.
The CreateSecurityPage function creates the basic security property page. You can then use the
Proper tySheet function or the PSM_ADDPAGE message to add this page to a property sheet.
Alternatively, you can use the EditSecurity function to display a property sheet that contains the basic security
property page.
For both CreateSecurityPage and EditSecurity , the caller must pass a pointer to an implementation of the
ISecurityInformation interface. The access control editor calls the methods of this interface to retrieve access
control information about the object being edited and to pass the user's input back to your application. The
ISecurityInformation methods have the following purposes:
To initialize the property pages.
Your implementation of the GetObjectInformation method passes an SI_OBJECT_INFO structure to
the editor. This structure specifies the property pages that you want the editor to display and other
information that determines the editing options available to the user.
To provide security information about the object being edited.
Your GetSecurity implementation passes the object's initial security descriptor to the editor. The
GetAccessRights and MapGeneric methods provide information about the object's access rights. The
GetInheritTypes method provides information about how the object's ACEs can be inherited by child
objects.
To pass the user's input back to your application.
When the user clicks Okay or Apply , the editor calls your SetSecurity method to pass back a security
descriptor containing the user's changes.
Basic Security Property Page
The basic security property page is the starting page of the property sheet displayed by the EditSecurity
function. You can also use the CreateSecurityPage function to create a basic security property page to insert in
your own property sheet.
The property page displays a list of the trustees named in the access control entries (ACEs) of the object's
discretionary access control list (DACL). The page also contains a list of the access rights supported by the
object. When the user selects a name from the list of trustees, the check boxes next to each access right indicate
the rights that are allowed or denied for that trustee. The user can then select or clear the check boxes to modify
the trustee's access rights. The user can also add or remove trustees from the list.
The basic security property page cannot display complex ACEs, such as object-specific ACEs, or ACE inheritance
information. To enable the user to view or edit such information, you can include an Advanced button on the
basic security page. The user can click the Advanced button to display an advanced security property sheet.
This property sheet has property pages that enable the user to edit the object's system access control list (SACL),
change the object's owner, or perform advanced editing of the object's DACL. To display the Advanced button,
set the SI_ADVANCED flag in the SI_OBJECT_INFO structure returned by your
ISecurityInformation::GetObjectInformation implementation.
You can use the pszPageTitle member of the SI_OBJECT_INFO structure to specify the title of the basic
security property page. The default title is Security .
Advanced Security Property Sheet
The advanced security property sheet enables the user to perform editing operations that are not available on
the basic security property page of an access control editor. The property sheet can include the following
property pages:
A Permissions property page for advanced editing of the object's discretionary access control list (DACL),
such as editing object-specific ACEs or controlling ACE inheritance.
An Auditing property page for viewing and editing the object's system access control list (SACL).
An Owner property page for changing the object's owner.
The user can display the advanced security property sheet by clicking the Advanced button on the basic
security property page. To display the Advanced button, set the SI_ADVANCED flag in the SI_OBJECT_INFO
structure returned by your ISecurityInformation::GetObjectInformation implementation.
Permissions Property Page
The Permissions property page contains controls for advanced editing of the ACEs in an object's DACL. This
page enables the user to view and edit all of the information in the DACL, including information that is not
available on the basic security property page. The advanced information includes object-specific ACEs and
information about ACE inheritance.
The Permissions property page is always included in the advanced security property sheet displayed when the
user clicks the Advanced button on the basic security property page.
Auditing Property Page
The access control editor can include an Auditing property page that enables the user to view and edit the
access control entries (ACEs) in an object's system access control list (SACL). For more information about SACLs,
see Access Control Lists (ACLs).
To view the Auditing proper ty page
On the basic security property page, click Advanced . The Auditing property page is in the advanced
security property sheet.
To include the Auditing property page, set the SI_ADVANCED and SI_EDIT_AUDITS flags in the
SI_OBJECT_INFO structure returned by your ISecurityInformation::GetObjectInformation
implementation.
Owner Property Page
The access control editor can include an Owner property page that enables the user to change an object's owner.
For more information about an object's owner, see Owner of a New Object and Taking Object Ownership in
C++.
The Owner property page is in the advanced security property sheet displayed when the user clicks the
Advanced button on the basic security property page. To include the Owner property page, set the
SI_ADVANCED and SI_EDIT_OWNER flags in the SI_OBJECT_INFO structure returned by your
ISecurityInformation::GetObjectInformation implementation.
Client/Server Access Control
A server application provides services to clients. For example, a server could perform the following services on
behalf of a client:
Save and retrieve information from a private database
Access network resources
Start processes in the client's security context on the server's computer
A protected server controls access to its services. Windows provides security support that enables a server to do
the following:
Impersonate a client's security context, which causes the system to perform most access and privilege checks
against the client's access token rather than the server's
Log a client on to the server's computer
Connect to network resources using the client's security context
Create security descriptors to protect private objects
Determine whether a security descriptor allows access to a client
Determine whether a set of privileges are enabled in a client's token
Generate audit messages in the security event log to record attempts by a client to access objects or use
privileges
The Client Security Context
Like all processes, a protected server has a primary access token that describes its security context. When a
client connects to a protected server, the server may want to perform actions using the client's security context
instead of the server's security context. For example, when a client in a dynamic data exchange (DDE)
conversation requests information from a DDE server, the server needs to verify that the client is allowed access
to the information.
There are two ways that a server can act in the client's security context:
A thread of the server process can impersonate the client. In this case, the server's thread has an
impersonation access token that identifies the client, the client's groups, and the client's privileges. For more
information, see Client Impersonation.
The server can get the client's credentials and log the client on to the server's computer. This creates a new
logon session and produces a primary access token for the client. The server can then use the client's access
token to impersonate the client or to start a new process that runs in the security context of the client. For
more information, see Client Logon Sessions.
In most cases, impersonating the client is sufficient. Impersonation enables the server to check the client's access
to securable objects, check the client's privileges, and generate audit trail entries that identify the client. Typically,
a server needs to start a client logon session only if it needs to use the client's security context to access network
resources.
Client Impersonation (Authorization)
Impersonation is the ability of a thread to execute using different security information than the process that
owns the thread. Typically, a thread in a server application impersonates a client. This allows the server thread to
act on behalf of that client to access objects on the server or validate access to the client's own objects.
The Microsoft Windows API provides the following functions to begin an impersonation:
A DDE server application can call the DdeImpersonateClient function to impersonate a client.
A named-pipe server can call the ImpersonateNamedPipeClient function.
You can call the ImpersonateLoggedOnUser function to impersonate the security context of a logged-on
user's access token.
The ImpersonateSelf function enables a thread to generate a copy of its own access token. This is useful
when an application needs to change the security context of a single thread. For example, sometimes only
one thread of a process needs to enable a privilege.
You can call the SetThreadToken function to cause the target thread to run in the security context of a
specified impersonation token.
A Microsoft Remote Procedure Call (RPC) server application can call the RpcImpersonateClient function to
impersonate a client.
A security package or application server can call the ImpersonateSecurityContext function to impersonate
a client.
For most of these impersonations, the impersonating thread can revert to its own security context by calling the
Rever tToSelf function. The exception is the RPC impersonation, in which the RPC server application calls
RpcRever tToSelf or RpcRever tToSelfEx to revert to its own security context.
Impersonation Levels (Authorization)
The SECURITY_IMPERSONATION_LEVEL enumeration defines four impersonation levels that determine the
operations a server can perform in the client's context.
IM P ERSO N AT IO N L EVEL DESC RIP T IO N
SecurityAnonymous The server cannot impersonate or identify the client.
SecurityIdentification The server can get the identity and privileges of the client,
but cannot impersonate the client.
SecurityImpersonation The server can impersonate the client's security context on

the local system.
SecurityDelegation The server can impersonate the client's security context on

remote systems.
The client of a named pipe, RPC, or DDE connection can control the impersonation level. For example, a named
pipe client can call the CreateFile function to open a handle to a named pipe and specify the server's
impersonation level.
When the named pipe, RPC, or DDE connection is remote, the flags passed to CreateFile to set the
impersonation level are ignored. In this case, the impersonation level of the client is determined by the
impersonation levels enabled by the server, which is set by a flag on the server's account in the directory
service. For example, if the server is enabled for delegation, the client's impersonation level will also be set to
delegation even if the flags passed to CreateFile specify the identification impersonation level.
DDE clients use the DdeSetQualityOfSer vice function with the SECURITY_QUALITY_OF_SERVICE structure
to specify the impersonation level. The SecurityImpersonation level is the default for named pipe, RPC, and DDE
servers. The ImpersonateSelf , DuplicateToken , and DuplicateTokenEx functions allow the caller to specify
an impersonation level. Use the GetTokenInformation function to retrieve the impersonation level of an
access token.
At the SecurityImpersonation level, most of the thread's actions occur in the security context of the thread's
impersonation token rather than in the primary token of the process that owns the thread. For example, if an
impersonating thread opens a securable object, the system uses the impersonation token to check the thread's
access. Similarly, if an impersonating thread creates a new object, for example by calling the CreateFile
function, the owner of the new object is the default owner from the client's access token.
However, the system uses the primary token of the process rather than the impersonation token of the calling
thread in the following situations:
If an impersonating thread calls the CreateProcess function, the new process always inherits the primary
token of the process.
For functions that require the SE_TCB_NAME privilege, such as the LogonUser function, the system always
checks for the privilege in the primary token of the process.
For functions that require the SE_AUDIT_NAME privilege, such as the ObjectOpenAuditAlarm function, the
system always checks for the privilege in the primary token of the process.
In a call to the OpenThreadToken function, a thread can specify whether the function uses the
impersonation token or the primary token to determine whether to grant the requested access.
Impersonation Tokens
An impersonating thread has two access tokens:

A primary access token that describes the security context of the server. To get a handle to this token, call the
OpenProcessToken function.
An impersonation access token that describes the security context of the client being impersonated. To get a
handle to this token, call the OpenThreadToken function.
A server can use the impersonation token in the following functions:
In the AccessCheck , AccessCheckByType , and AccessCheckByTypeResultList functions to determine
whether a security descriptor allows the client a set of access rights.
In the AdjustTokenPrivileges function to enable or disable the client's privileges.
In the PrivilegeCheck function to determine whether a set of privileges are enabled in the client's token.
In functions that generate entries in the security event log, such as ObjectOpenAuditAlarm or
PrivilegedSer viceAuditAlarm . These functions use an impersonation token to get information about the
client for the log entry.
Client Logon Sessions
A server with the SE_TCB_NAME privilege, such as a Windows service running in the LocalSystem Account, can
call the LogonUser function to authenticate a client on the computer that the server is running on. The
LogonUser function starts a new logon session and returns a primary access token that contains the client's
security information. You can use this primary token in calling the ImpersonateLoggedOnUser function to
impersonate the client or in calling the CreateProcessAsUser function to create a process that runs in the
security context of the client.
The advantage of authenticating the client in this way is that the server impersonating the authenticated client,
or a process created in the context of the authenticated client, can connect to remote network resources as the
client. If this authentication is not done, the server can connect to network resources only if it has acquired the
client's account name and password to pass to the WNetAddConnection2 function.
The disadvantage of authenticating the client in this way is that the server must have acquired the client's
credentials (domain name, user name, and password). If a remote client supplies these credentials to the server,
it is the responsibility of the client and server to ensure that the credentials are transmitted in a secure manner.
Processes in the Client Security Context
A server application can call the CreateProcessAsUser function to create a new process that runs in a client's
security context. When called with a client's access token, CreateProcessAsUser requires the
SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges, which are held by Windows
services running in the LocalSystem Account.
The CreateProcessAsUser function also requires a primary access token. A server can get a primary access
token for a client either by starting a logon session for the client or by impersonating the client and duplicating
the impersonation token.
The following procedures describe two ways to create a client process.
To create a client process by logging on to the client
1. Log the client on to the local computer using the client's credentials in a call to LogonUser . LogonUser
produces a primary token for the client's logon session.
2. If the server needs to use the client's security context, get access to the executable file for the client process
by using the primary token in a call to the ImpersonateLoggedOnUser function.
3. Create a process in the client's security context by using the primary token in a call to
CreateProcessAsUser .
NOTE
A process created by using the following technique may not be able to access network resources unless it has the client's
credentials.
To create a client process by impersonating the client

1. Start the impersonation by using an impersonation function, such as ImpersonateNamedPipeClient .
2. Call the OpenThreadToken function to get an impersonation token that has the security context of the
client.
3. Call the DuplicateTokenEx function to convert the impersonation token into a primary token.
4. Use the primary token in a call to the CreateProcessAsUser function to create a process in the client's
security context.
By default, CreateProcessAsUser creates the client process on a noninteractive window station and desktop.
To create an interactive process, the server must first set the discretionary access control lists (DACLs) of the
interactive window station and desktop to ensure that the client is allowed access to them. The preferred way to
do this is to log the client on, get the security identifier (SID) of the client's logon session, and then use that SID
in access-allowed ACEs on both the interactive window station and desktop. The server can then call
CreateProcessAsUser , specifying the interactive window station and desktop winsta0\default. For an example
that shows this procedure, see Starting an Interactive Client Process in C++.
Client Access to Network Resources
A server can use the following strategies to access network resources:

If the server has the account name and password of a client, it can call WNetAddConnection2 with the
client's credentials to map a local drive letter to a network share.
After calling LogonUser with client credentials, the server can call the CreateProcessAsUser function to
create a process for the client. This new client process can access network resources using the client's security
context. For example, the process can call the CreateFile function to open a file on a remote computer. The
system uses the client's primary token to check access attempts by the client process.
A server can call WNetAddConnection2 with null credentials to establish either a connection to a network
resource with server access or a default connection. If the server is running as the LocalSystem account, it
authenticates to the network resource under the security context of the domain server. If the server is
running under a service account, it authenticates as that account. For more information, see the LocalSystem
Account.
For information about protecting passwords, see Handling Passwords. For information about acquiring
credentials, see Asking the User for Credentials.
Just as the system uses security descriptors to control access to securable objects, a server can use security
descriptors to control access to its private objects. For more information about the Windows security model, see
Access Control Model.
A protected server can create a security descriptor with a DACL that specifies the types of access allowed for
various trustees. In a simple case, the server could create a single security descriptor to control access to all of
the server's data and functionality. For a finer granularity of protection, the server could create security
descriptors for each of its private objects, or for different types of functionality.
For example, when a client asks the server to create a new object in a database, the server could create a
security descriptor for the new private object. The server could then store the security descriptor with the private
object in the database. When a client tries to access the object, the server retrieves the security descriptor to
check the client's access rights. It is important to note that there is nothing in a security descriptor that
associates it with the object or functionality it is protecting. Instead, it is up to the protected server to maintain
the association.
Access to the private object can also be audited. Refer to Auditing Access to Private Objects for a description of
this.
Security Descriptors for Private Objects
To create a security descriptor, a protected server can use the same procedure that an application would use to
create a security descriptor for a securable object. For sample code, see Creating a Security Descriptor for a New
Object in C++. Alternatively, a protected server application can call the BuildSecurityDescriptor function to
do this. If a pointer to an existing self-relative security descriptor is supplied to BuildSecurityDescriptor , it will
build the new security descriptor with information taken from that security descriptor merged with new access
control information passed as parameters in the function call. The owner and group are optionally specified by
TRUSTEE structures passed to the function. The security descriptor created by BuildSecurityDescriptor is in
self-relative format.
In addition, the Windows API provides a set of functions for merging client security information with
information inherited from the security descriptor for a parent object or from a default security descriptor. The
CreatePrivateObjectSecurity , GetPrivateObjectSecurity , SetPrivateObjectSecurity , and
DestroyPrivateObjectSecurity functions provide the ability to retrieve default information from an access
token, support inheritance, and manipulate specific parts of the security descriptor. This can be useful when a
client creates a private object in a hierarchy of secured objects. For example, you could use the
CreatePrivateObjectSecurity function to create a security descriptor that contained ACEs specified by the
client, ACEs inherited from a parent object, and the default owner from the creating client's access token. While
BuildSecurityDescriptor creates security descriptors either from access control information passed into the
function call or from an existing security descriptor, CreatePrivateObjectSecurity creates a security descriptor
solely from the information in existing security descriptors.
LookupSecurityDescriptorPar ts function obtains security descriptor information from an existing self-
relative security descriptor. This information includes the owner and group specification, the number of ACEs in
the SACL or DACL, and the list of ACEs in the SACL or DACL.
Checking Access to Private Objects
A protected server application must check a client's access rights before allowing the client to access a protected
private object. To do this, the server passes an impersonation token, a security descriptor, and a set of requested
access rights to AccessCheck . The access control entries (ACEs) in the security descriptor's DACL specify the
access rights allowed or denied to various trustees. The AccessCheck function compares the trustee in each
ACE to the trustees identified in the impersonation token. For a description of the algorithm used to grant or
deny access, see How DACLs Control Access to an Object.
The AccessCheckAndAuditAlarm function performs a similar access check. In addition, it generates audit
records in the security event log depending on the SACL in the security descriptor.
The AccessCheckByType and AccessCheckByTypeAndAuditAlarm functions are similar to AccessCheck
and AccessCheckAndAuditAlarm except that they allow you to check access to the subobjects of an object,
such as property sets or properties. The AccessCheckByTypeResultList and
AccessCheckByTypeResultListAndAuditAlarm functions are also similar to AccessCheck except that they
provide the access check results for each subobject in a hierarchy of the object's properties and property sets.
These functions use the OBJECT_TYPE_LIST structure to describe the hierarchy of objects for which access is
checked. The functions that generate an audit message use the AUDIT_EVENT_TYPE enumeration type to
indicate whether the object being checked is a directory service object. For more information about the
hierarchy of an object and its subobjects, see ACEs to Control Access to an Object's Properties.
The requested access rights passed to the AccessCheck and AccessCheckAndAuditAlarm functions must
not include any generic access rights. The server can use the MapGenericMask function to convert any generic
access rights to the corresponding specific and standard rights according to the mapping specified in the
GENERIC_MAPPING structure.
The AreAllAccessesGranted and AreAnyAccessesGranted functions compare a requested access mask with
a granted access mask.
For sample code that uses the AccessCheck function, see Verifying Client Access with ACLs in C++.
The Conver tToAutoInheritPrivateObjectSecurity function creates and returns a security descriptor in a
format that allows the automatic propagation of inheritable ACEs. This security descriptor contains all of the
ACEs, inherited and noninherited, in the current security descriptor and is in self-relative format. The
Conver tToAutoInheritPrivateObjectSecurity function determines whether the ACEs are inherited or
noninherited by comparing all of the ACEs in the current security descriptor with all of the ACEs in its parent
security descriptor. There may not be a one-to-one correspondence between the two groups of ACEs. For
instance, an ACE that allows read/write permission can be equivalent to two ACEs: an ACE that allows read
permission and an ACE that allows write permission. A parent security descriptor may not be supplied when the
current security descriptor is the parent.
Auditing Access To Private Objects
A protected server can use the following functions to generate audit reports in the security event log.
AccessCheckAndAuditAlarm Same as the AccessCheck function except that it can

generate audit messages for failed or successful access
attempts.
AccessCheckByTypeAndAuditAlarm Same as the AccessCheckByType function except that it

can generate audit messages for failed or successful access
attempts.
AccessCheckByTypeResultListAndAuditAlarm Same as the AccessCheckByTypeResultList function

except that it can generate audit messages for failed or
successful access attempts.
AccessCheckByTypeResultListAndAuditAlarmByHandl Same as the

e AccessCheckByTypeResultListAndAuditAlarm function
except that it allows the calling thread to perform the access
check before impersonating the client.
ObjectCloseAuditAlarm Generates an audit message to indicate that a client tried to

close a private object.
ObjectDeleteAuditAlarm Generates an audit message to indicate that a client tried to

delete a private object.
ObjectOpenAuditAlarm Generates an audit message to indicate that a client tried to

open or create a private object.
ObjectPrivilegeAuditAlarm Generates an audit message to indicate that a client tried to

use a specified set of privileges in conjunction with an
attempt to access a private object.
PrivilegedSer viceAuditAlarm Generates an audit message to indicate that a client tried to

use a specified set of privileges.
Access Control for Application Resources
The Authorization Manager API and MMC snap-in available in Windows Server 2003 provide applications with a
flexible role-based access control framework. This framework includes a set of strippable COM objects for web
and line of business applications.
The following sections provide information about controlling access to application resources:
The Authorization Manager API and MMC snap-in provide applications with a role-based access control
framework. The Authorization Manager API, also known as AzMan, provides a simplified development model in
which to manage flexible groups and business rules and store authorization policies. For more information, see
the following topics:
Windows XP: The Authorization Manager API and MMC snap-in are available as a download (Windows
Server 2003 Administration Tools Pack) from https://www.microsoft.com/downloads. This download supports
administration and development of Authorization Manager policies; it does not support deployment of
applications that use Authorization Manager to control access.
Related topics
The Authorization Manager API provides an authorization model that has several advantages over low-level
(ACL-based) authorization:
Simplifies access control administration.
Makes authorization available to scripts and applications developed using the Microsoft Visual Basic
development system.
Provides a mechanism to apply run-time business logic when checking access.
Authorization Manager provides a flexible framework for integrating role-based access control into applications.
It enables administrators who use those applications to provide access through assigned user roles that relate to
job functions.
Authorization Manager applications store authorization policy in the form of authorization stores that are stored
in Active Directory or XML files and apply authorization policy at run time.
Applications then call a run-time access check method that checks access against the policy information in the
authorization store.
Authorization policy includes the following parts:
Users and Groups
Roles
Business Rules
Collections
Authorization policy stores, applications, and scopes represent different levels of organization of Authorization
Manager policy. A policy store can contain one or more applications, and an application can contain one or more
scopes.
Authorization Policy Stores
Applications
Scopes
Delegation
Related topics
Authorization Policy Stores

In the Authorization Manager API, an authorization policy store is represented by an IAzAuthorizationStore
object. The authorization policy store contains definitions and assignments of applications, scopes, operations,
tasks, roles, and user groups.
An authorization policy store can be stored either as an XML file or in Active Directory.
An application must initialize an authorization policy store before changing information in the store or using the
store policy to check client access to resources.
An authorization policy store can contain one or more IAzApplication objects that each represent authorization
policy for a specific application.
Applications
In the Authorization Manager API, an application is represented by an IAzApplication object. An authorization
policy store can contain authorization policy information for many applications. Using IAzApplication objects
allows you to store different authorization policy for different applications in a single policy store.
An authorization policy store must contain at least one application.
Scopes
In the Authorization Manager API, a scope is represented by an IAzScope object. Scopes provide an additional,
optional level of organization for an authorization policy. An application can contain one or more scopes, but
need not contain any (Authorization Manager provides a default, application-wide scope).
A scope is a subdivision within an application that separates resources from other resources that are used by
that application. If you have Authorization Manager groups, role assignments, role definitions, or task definitions
that you do not want to apply to an entire application, you can create them at the scope level.
Delegation
Authorization policy stores that are stored in Active Directory support delegation of administration.
Administration can be delegated to users and groups at the store, application, or scope level. Each level defines
administrative roles for the policy at that level. To delegate control to a user or group, assign them to the
administrator role; to allow a user or group to read the policy, assign them to the reader role.
Administrators of a store, application, or scope can read and modify the policy store at the delegated level.
Readers can read the policy store at the delegated level but cannot modify the store.
Related topics
Users and Groups
In Authorization Manager, recipients of authorization policy are represented by the following groups:
Windows Users and Groups
These groups include users, computers, and built-in groups for security principals.
LDAP Query Groups
Membership in these groups is dynamically calculated as needed from Lightweight Directory Access
Protocol (LDAP) queries. An LDAP query group is a type of application group.
Basic Application Groups
These groups consist of LDAP query groups, Windows users and groups, and other basic application
groups.
Windows Users and Groups

These are the same as the users and groups used throughout the Windows operating system.
LDAP Query Groups

In Authorization Manager, you can use LDAP queries to match the user's attributes with those of the user's
object in Active Directory.
For example, the following query finds everyone except Andy.
(&(objectCategory=person)(objectClass=user)(!cn=andy))
The following query finds all members of the someone alias at www.fabrikam.com.
(memberOf=CN=someone,OU=litwareinc,DC=Fabrikam,DC=com)
Basic Application Groups

In the Authorization Manager API, an application group is represented by an IAzApplicationGroup object. A
basic application group is a type of application group.
To define basic application group membership, define who is a member and define who is not a member. Both
of these steps are carried out in the same way. Specify zero or more Windows users and groups, previously
defined basic application groups, or LDAP query groups. The membership of the basic application group is
calculated by removing any nonmembers from the group. Authorization Manager does this automatically at run
time.
Nonmembership in a basic application group takes precedence over membership.
Circular membership definitions are not allowed; they result in the following error message: "Cannot add
GroupName. The following problem occurred: A loop has been detected."
Related topics
An operation is a low-level computer action. In the Authorization Manager API, an operation is represented by
an IAzOperation object. In general, operations are too many in number and too low-level to facilitate
administration. Group operations into tasks to simplify administration of authorization policy.
A task is represented by an IAzTask object and can contain one or more IAzOperation objects. An IAzTask
object can also contain other IAzTask objects, so that tasks can be nested. To facilitate administration, an
IAzTask object should represent a task that a real user wants to perform.
Access to the operations contained by a task can be qualified at run time by a business rule script associated
with the IAzTask object that represents that task. For more information about business rule scripts, see Business
Rules.
An IAzTask object can also represent a role definition by setting its IsRoleDefinition property to TRUE . The
Authorization Manager MMC snap-in user interface then displays that IAzTask object as a role. For more
information about role definitions, see Roles.
Related topics
Users and Groups
Roles
Roles serve two different purposes in Authorization Manager. A role is a set of tasks or operations to which a
category of users requires access, and it is also a set of users and groups that fit into that category.
Roles as Sets of Tasks
Roles as Sets of Users and Groups
Related topics
Roles as Sets of Tasks

An authorization policy assigns IAzTask objects to an IAzRole object to create sets of tasks. All users and
groups assigned to that IAzRole object then have permission to access all operations contained by those
IAzTask objects.
Because an IAzRole object represents both a set of tasks and a set of users and groups that have access to those
tasks, Authorization Manager provides a way to create role definitions that can be assigned to more than one
IAzRole object. An IAzTask object can contain other IAzTask objects. You can then use that IAzTask object as a
role definition by assigning it to one or more IAzRole objects. Set the IsRoleDefinition property of the
IAzTask object to TRUE to cause the Authorization Manager MMC snap-in user interface to display the
IAzTask object as a role.
Roles as Sets of Users and Groups

Assign users and groups to an IAzRole object to grant those users and groups access to the tasks assigned to
that IAzRole object by calling the AddMember or AddMemberName method. Assign existing application
groups, represented by IAzApplicationGroup objects, to an IAzRole object by calling the AddAppMember
method. All users and groups assigned to the IAzRole object have access to the tasks and operations assigned
to that role. For more information about application groups, see Users and Groups.
Related topics
Business Rules
A business rule allows an application to use logic at run time to qualify permissions granted to the client.
A business rule is a script written in the Visual Basic Scripting Edition (VBScript) programming language or
written using the Microsoft JScript development software that is associated with an IAzTask object. When an
application checks access for an operation, Authorization Manager first checks if the current client has access to
any tasks that contain that operation but that are not associated with business rules. If access is not granted this
way, Authorization Manager runs business-rule scripts associated with any task that contains the operation.
An application passes information to a business-rule script as a pair of arrays that represent the names and
values of parameters. The script has access to these parameters through an AzBizRuleContext object that is
created when the script runs.
A business-rule script cannot be assigned to a task contained by a delegated scope.
Related topics
Collections (Authorization)
The Authorization Manager API provides interfaces that represent collections of other objects. For example, the
IAzRoles interface represents a collection of IAzRole objects.
The other interfaces that represent collections are IAzApplications , IAzApplicationGroups , IAzOperations ,
IAzScopes , and IAzTasks . Each of these interfaces provides properties that facilitate enumerating objects in a
collection.
AppContainer for Legacy Applications
The AppContainer environment is a restrictive process execution environment that can be used for legacy
applications to provide resource security. An application running in an AppContainer can only access resources
specifically granted to it. As a result, applications implemented in an AppContainer cannot be hacked to allow
malicious actions outside of the limited assigned resources.
Benefits of using an AppContainer environment

The AppContainer environment provides secure sandboxing of applications. This isolates the application from
accessing hardware, files, registry, other applications, network connectivity, and network resources without
specific permission. Individual resources may be targeted without exposing other resources. Additionally, user
identity is protected by using a unique identity that is a concatenation of the user and the app and resources are
granted using a least-privilege model. This further protects against an app impersonating the user to gain access
to other resources.
For more information about using AppContainer for Legacy Applications, see the following topics.
In this section
AppContainer Isolation Isolation is the primary goal of an AppContainer execution

environment. By isolating an application from unneeded
resources and other applications, opportunities for malicious
manipulation are minimized. Granting access based upon
least-privilege prevents applications and users from
accessing resources beyond their rights. Controlling access
to resources protects the process, the device, and the
network.
Implementing an AppContainer An AppContainer is implemented by adding new information

to the process token, changing SeAccessCheck() so that all
legacy, unmodified access control list (ACL) objects block
access requests from AppContainer processes by default,
and re-ACL objects that should be available to
AppContainers.
AppContainer Isolation
Isolation is the primary goal of an AppContainer execution environment. By isolating an application from
unneeded resources and other applications, opportunities for malicious manipulation are minimized. Granting
access based upon least-privilege prevents applications and users from accessing resources beyond their rights.
Controlling access to resources protects the process, the device, and the network.
Most vulnerabilities in Windows start with the application. Some common examples include an application
breaking out of its browser or sending a bad document to Internet Explorer as well as exploitation of plugins,
such as flash. The more these applications can be isolated in an AppContainer, the safer the device and resources
are. Even if vulnerability in an app is exploited, the app cannot access resources beyond what is granted to the
AppContainer. Malicious apps cannot take over the rest of the machine.
Credential Isolation
Managing identity and credentials, the AppContainer prevents the use of user credentials to gain access to
resources or login to other environments. The AppContainer environment creates an identifier that uses the
combined identities of the user and the application, so credentials are unique to each user/application pairing
and the application cannot impersonate the user.
Device Isolation
Isolating the application from device resources, such as passive sensors (camera, microphone, GPS), and money
pumps (3G/4G, dial phone) the AppContainer environment prevents the application from maliciously exploiting
the device. These resources are blocked by default and can be granted access as necessary. In some cases these
resources are further protected by 'brokers'. Some resources, such as keyboard and mouse, are always available
to the AppContainer and resident application.
File Isolation
Controlling file and registry access, the AppContainer environment prevents the application from modifying
files that it should not. Read-write access can be granted to specific persistent files and registry keys. Read-only
access is less restricted. An application always has access to the memory resident files created specifically for
that AppContainer.
Network Isolation
Isolating the application from network resources beyond those specifically allocated, AppContainer prevents the
application from 'escaping' its environment and maliciously exploiting network resources. Granular access can
be granted for Internet access, Intranet access, and acting as a server.
Process Isolation
Sandboxing the application kernel objects, the AppContainer environment prevents the application from
influencing, or being influenced by, other application processes. This prevents a properly contained application
from corrupting other processes in the event of an exception.
Window Isolation
Isolating the application from other windows, the AppContainer environment prevents the application from
affecting other application interfaces.
Implementing an AppContainer
An AppContainer is implemented by adding new information to the process token, changing SeAccessCheck()
so that all legacy, unmodified access control list (ACL) objects block access requests from AppContainer
processes by default, and re-ACL objects that should be available to AppContainers.
The process
Begin by adding new information for the process token. Then change SeAccessCheck() so that all legacy,
unmodified ACLs will block access requests from AppContainer processes by default. Finally, re-ACL resources
that should be available to AppContainers
The AppContainer SID is a persistent unique identifier for the appcontainer. Capability SIDs grant access to
groups of resources to groups of AppContainers. An AppContainerNumber is a transient DWORD used to
distinguish between AppContainers. However, it should not be used as an identity for the AppContainer.
To allow a single AppContainer to access a resource, add its AppContainerSID to the ACL for that resource.
To allow several specific AppContainers to access a resource, add all of their AppContainerSIDs to the ACL for
that resource.
To manage groups of permissions, create a Capability SID (a GUID) and put that Capability SID on all of the
resources to be granted. Then add the Capability SID to your process token.
To allow all AppContainers to access a resource, add the ALL APPLICATION PACKAGES SID to the ACL for that
resource. This acts like a wildcard.
Both AppContainerSID and CapabilitySID support access masks in Access Control Entries (ACE). Set as
appropriate.
Mandatory Integrity Control
Mandatory Integrity Control (MIC) provides a mechanism for controlling access to securable objects. This
mechanism is in addition to discretionary access control and evaluates access before access checks against an
object's discretionary access control list (DACL) are evaluated.
MIC uses integrity levels and mandatory policy to evaluate access. Security principals and securable objects are
assigned integrity levels that determine their levels of protection or access. For example, a principal with a low
integrity level cannot write to an object with a medium integrity level, even if that object's DACL allows write
access to the principal.
Windows defines four integrity levels: low, medium, high, and system. Standard users receive medium, elevated
users receive high. Processes you start and objects you create receive your integrity level (medium or high) or
low if the executable file's level is low; system services receive system integrity. Objects that lack an integrity
label are treated as medium by the operating system; this prevents low-integrity code from modifying unlabeled
objects. Additionally, Windows ensures that processes running with a low integrity level cannot obtain access to
a process which is associated with an app container.
Integrity Labels
Integrity labels specify the integrity levels of securable objects and security principals. Integrity labels are
represented by integrity SIDs. The integrity SID for a securable object is stored in its system access control list
(SACL). The SACL contains a SYSTEM_MANDATORY_L ABEL_ACE access control entry (ACE) that in turn
contains the integrity SID. Any object without an integrity SID is treated as if it had medium integrity.
The integrity SID for a security principal is stored in its access token. An access token may contain one or more
integrity SIDs.
For detailed information about the defined integrity SIDs, see Well-known SIDs.
Process Creation
When a user attempts to launch an executable file, the new process is created with the minimum of the user
integrity level and the file integrity level. This means that the new process will never execute with higher
integrity than the executable file. If the administrator user executes a low integrity program, the token for the
new process functions with the low integrity level. This helps protect a user who launches untrustworthy code
from malicious acts performed by that code. The user data, which is at the typical user integrity level, is write-
protected against this new process.
Mandatory Policy
The SYSTEM_MANDATORY_L ABEL_ACE ACE in the SACL of a securable object contains an access mask that
specifies the access that principals with integrity levels lower than the object are granted. The values defined for
this access mask are SYSTEM_MANDATORY_L ABEL_NO_WRITE_UP ,
SYSTEM_MANDATORY_L ABEL_NO_READ_UP , and SYSTEM_MANDATORY_L ABEL_NO_EXECUTE_UP .
By default, the system creates every object with an access mask of
SYSTEM_MANDATORY_L ABEL_NO_WRITE_UP .
Every access token also specifies a mandatory policy that is set by the Local Security Authority (LSA) when the
token is created. This policy is specified by a TOKEN_MANDATORY_POLICY structure associated with the
token. This structure can be queried by calling the GetTokenInformation function with the value of the
TokenInformationClass parameter set to TokenMandator yPolicy .
User Account Control (Authorization)
User Account Control (UAC) enables users to perform common tasks as nonadministrators, called standard
users, and as administrators without having to switch users, log off, or use Run As . The behavior of UAC for the
"Never notify" setting no longer disables UAC. The "Never notify" setting gives you a split token and always
automatically elevates the privilege required. This subtlety may cause your app to have compatibility problems.
You can still disable UAC by using Group Policies or manually setting the registry key.
Windows Ser ver 2008 R2, Windows 7, Windows Ser ver 2008 and Windows Vista: The "Never notify"
setting disables UAC.
For example, if you perform the following steps to change the "Never notify" setting, you get different outcomes
when you attempt to create a file in a folder that requires elevated privileges. The Windows 8 behavior is to
deny access. The Windows 7 behavior allows you to create the File.txt file.
1. Click or tap Star t . In the search box, type "Change User Account Control settings".
2. Click or tap Change User Account Control settings to open it.
3. Move the slider to Never notify .
4. Click or tap OK .
5. Restart your computer.
6. Click or tap Star t and then Run . In the Open box, type "Cmd.exe". Note that the title of the window doesn't
contain the string "Administrator".
7. Type "echo > %windir%\system32\File.txt".
UAC was added in Windows Server 2008 and Windows Vista. A standard user account is synonymous with a
user account in Windows XP. User accounts that are members of the local Administrators group will run most
applications as a standard user.
For information about UAC, see the following topics.
Guidelines for User Account Control in UI Development General information about UAC.
Developing Applications that Require Administrator Privilege Models for developing applications that perform operations
that require administrative privilege, but that run as a
standard user.
Authorization Reference Detailed information about authorization functions,

interfaces, structures, and other programming elements.
Developing Applications that Require Administrator
Privilege
It is possible to develop an application that performs operations that require administrator privilege yet runs as
a standard user.
There are several models for accomplishing this.
Elevated Task Model An application running as a standard user performs

operations that require administrator privilege by starting a
scheduled task.
Operating System Service Model An application running as a standard user communicates

with a service running as SYSTEM by using Remote
Procedure Call (RPC).
Administrator Broker Model The application is divided into two programs. One of the
programs runs as a standard user, and the other runs with
administrator privilege.
Administrator COM Object Model An application running as a standard user performs

operations that require administrator privilege by creating
an elevated Component Object Model object.
In the administrator broker model, the application is divided into two programs. One of the programs runs as a
standard user, and the other runs with administrator privilege.
Using an application manifest, mark the standard user program with a requestedExecutionLevel of
asInvoker and mark the administrative program with a requestedExecutionLevel of requireAdministrator .
A user launches the standard user program first. When the user attempts to perform an operation that requires
a full administrator access token, the standard user program calls the ShellExecute function to launch the
administrative program. The ShellExecute function prompts the user for approval before running the
application with the user's full administrator access token. The administrative program can then perform tasks
that require administrator privilege.
The administrative program is not completely isolated from the standard user program. The administrative
program can enable interprocess communication with the standard user program. However, such
communication is limited by the default mandatory integrity policy. For information about mandatory integrity
considerations, see Designing Applications to Run at a Low Integrity Level.
The following are possible uses for the administrator broker model:
Developing wizards. When a hardware wizard determines that a required driver is not installed on the
computer or located in the enterprise's approved location, it calls an elevated application with the ability to
move a driver into the computer store.
Autorun.exe calling Setup.exe. When a user runs software from a CD, Autorun.exe, which runs as a standard
user, starts Setup.exe, which runs as an administrator, to install the software onto the computer.
The following are drawbacks to using the administrator broker model:
The transitions from application to application can be confusing to the user. It can be difficult to inform the
user why a new application appears on the monitor.
It can be difficult to pass state information between the two applications. For example, you would not use this
model to pass state information between a standard user control panel (CPL) and its administrator
counterpart simply to allow the same CPL to have administrative and standard user functionality. The
standard user CPL would have to store its state somewhere.
There can be a lot of replicated code when splitting the functionality between two programs.
Related topics
Elevated Task Model
In the operating system service model, an application running as a standard user communicates with a service
running as SYSTEM by using Remote Procedure Call (RPC).
The standard user application is marked in the application manifest with a requestedExecutionLevel of
asInvoker . To perform an operation that requires administrator privilege, the standard user application makes a
request to the service.
One use for the operating system service model is to manage applications that could impact the system, such as
antivirus or other unwanted software and spyware. The standard user application allows the logged on user to
control some aspects of the service. The service is responsible for determining which operations it performs for
a standard user application. For example, an antivirus service might allow a standard user to start a scan of the
system, but it might not allow a standard user to disable real-time virus checking.
A major benefit of using the operating system service model is that no elevation prompting is required.
One drawback of using the operating system service model is that a service running on the system uses more
resources than a task, and a service cannot be stopped by a standard user. Consider using the Elevated Task
Model if it suffices.
To implement the operating system service model, create a standard user client application and an operating
system service. Install the service in the operating system during product installation time.
Related topics
Elevated Task Model
Elevated Task Model
In the elevated task model, an application running as a standard user performs operations that require
administrator privilege by starting a scheduled task.
Windows Ser ver 2003 and Windows XP: The elevated task model is not supported.
Tasks do not consume as many system resources as services, and tasks automatically close when finished.
Consider using this model instead of the Operating System Service Model unless backward compatibility with
earlier operating systems is necessary.
To use a task to perform privileged operations for a standard user application, the following conditions must be
met:
The task must be set to run as SYSTEM .
The security descriptor associated with the task must be configured to allow standard users to start the task.
The task scheduler service must be running.
For information about how to create and start tasks, see Task Scheduler.
Related topics
In the administrator COM object model, an application running as a standard user performs operations that
require administrator privilege by creating an elevated Component Object Model object. For information about
creating an elevated COM object, see The COM Elevation Moniker.
One drawback to using the administrator COM object model is that the user is prompted each time a privileged
operation is performed.
Any user interface that can control the COM object must be presented by the COM object itself. Otherwise, an
unprivileged process could cause the elevated COM object to perform privileged operations without the user
being prompted.
Related topics
Elevated Task Model
You can use the Authorization Manager API to control access to application resources.
If you have an existing access control solution based on access control lists (ACLs) and want to avoid converting
this solution to use Authorization Manager, you can continue to use ACLs to control access to resources. For
information about controlling access to resources using ACLs, see Defining Permissions with ACLs in C++,
Establishing a Client Context from a SID in C++, and Verifying Client Access with ACLs in C++.
NOTE
For large enterprises, there is a trade-off between administrative overhead and performance. As the number of secured
resources and users increases, the administration of ACLs becomes more complicated. Performance is not affected
because all required information about access rights is distributed to the secured resources. The performance of
Authorization Manager is affected by scaling.
For information about other authorization tasks, see Supporting Tasks for Authorization in C++.
Defining Permissions in C++ Define which users have access to which application
resources by creating an authorization policy store.
Verifying Client Access to a Requested Resource in C++ Check whether the client has access to one or more
operations.
Delegating the Defining of Permissions in C++ Delegate the administration of authorization policy stores
that are stored in Active Directory.
Defining Permissions in C++
In Authorization Manager, you define which users have access to which application resources by creating an
authorization policy store.
For information about defining permissions with ACLs, see Defining Permissions with ACLs in C++.
To define access permissions
1. Create the store where the authorization policy is defined:
2. Create a section in the authorization policy store for a specific application:
3. Define operations that the application implements to access and modify resources:
4. Group operations into high-level tasks that users want to perform:
5. Define roles that consist of groups of tasks:
A user that is assigned to a role has permission to perform any task assigned to that role. 6. Create scripts to qualify
access to tasks at run time:
This step is optional. 7. Define groups of users:
These groups can then be assigned to roles to determine which tasks they can perform. 8. Add users to user groups:
Verifying Client Access to a Requested Resource in
C++
Call the AccessCheck method of the IAzClientContext interface to check if the client has access to one or
more operations. A client might have membership in more than one role, and an operation might be assigned to
more than one task, so Authorization Manager checks for all roles and tasks. If any role to which the client
belongs contains any task that contains an operation, access to that operation is granted.
To check access for only a single role to which the client belongs, set the RoleForAccessCheck property of the
IAzClientContext interface.
When initializing the authorization policy store for access check, you must pass zero as the value of the lFlags
parameter of the IAzAuthorizationStore::Initialize method.
The following example shows how to check a client's access to an operation. The example assumes that there is
an existing XML policy store named MyStore.xml in the root directory of drive C, that this store contains an
application named Expense and an operation named UseFormControl, and that the variable hToken contains a
valid client token.
#include <windows.h>
#include <stdio.h>
#include <azroles.h>
void CheckAccess(ULONGLONG hToken)

{
IAzAuthorizationStore* pStore = NULL;
IAzApplication* pApp = NULL;
IAzClientContext* pClientContext = NULL;
IAzOperation* pOperation = NULL;
BSTR storeName = NULL;
BSTR appName = NULL;
BSTR operationName = NULL;
BSTR objectName = NULL;
LONG operationID;
HRESULT hr;
VARIANT varOperationIdArray;
VARIANT varOperationId;
VARIANT varResultsArray;
VARIANT varResult;
void MyHandleError(char *s);
VARIANT myVar;
VariantInit(&myVar);//.vt) = VT_NULL;
// Initialize COM.
hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!(SUCCEEDED(hr)))
MyHandleError("Could not initialize COM.");
// Create the AzAuthorizationStore object.

hr = CoCreateInstance(
/*"b2bcff59-a757-4b0b-a1bc-ea69981da69e"*/
__uuidof(AzAuthorizationStore),
NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
__uuidof(IAzAuthorizationStore),
(void**)&pStore);
MyHandleError("Could not create AzAuthorizationStore object.");
// Allocate a string for the policy store.

if(!(storeName = SysAllocString(L"msxml://c:\\myStore.xml")))
MyHandleError("Could not allocate string.");
// Initialize the store.

hr = pStore->Initialize(0, storeName, myVar);
MyHandleError("Could not initialize store.");
// Create an application object.

if (!(appName = SysAllocString(L"Expense")))
MyHandleError("Could not allocate application name string.");
hr = pStore->OpenApplication(appName, myVar, &pApp);
MyHandleError("Could not open application.");
// Create a client context from a token handle.

hr = pApp->InitializeClientContextFromToken(hToken, myVar,
&pClientContext);
MyHandleError("Could not create client context.");
// Set up parameters for access check.
// Set up the object name.

if (!(operationName = SysAllocString(L"UseFormControl")))
MyHandleError("Could not allocate operation name string.");
// Get the ID of the operation to check.

hr = pApp->OpenOperation(operationName, myVar, &pOperation);
MyHandleError("Could not open operation.");
hr = pOperation->get_OperationID(&operationID);
if(!(SUCCEEDED(hr)))
MyHandleError("Could not get operation ID.");
// Create a SAFEARRAY for the operation ID.

varOperationIdArray.parray = SafeArrayCreateVector(VT_VARIANT, 0, 1);
// Set SAFEARRAY type.

varOperationIdArray.vt = VT_ARRAY | VT_VARIANT;
// Create an array of indexes.

LONG* index = new LONG[1];
index[0] = 0;
// Populate a SAFEARRAY with the operation ID.

varOperationId.vt = VT_I4;
varOperationId.lVal = operationID;
hr = SafeArrayPutElement(varOperationIdArray.parray, index,
&varOperationId);
MyHandleError("Could not put operation ID in array.");
if(!(objectName = SysAllocString(L"UseFormControl")))//used for audit

MyHandleError("Could not allocate object name string.");
// Check access.
hr = pClientContext->AccessCheck(
objectName,
myVar,
varOperationIdArray,
myVar, // use default application scope
myVar,
myVar,
myVar,
myVar,
&varResultsArray);
MyHandleError("Could not complete access check.");
hr = SafeArrayGetElement(varResultsArray.parray, index, &varResult);

MyHandleError("Could not get result from array.");
if (varResult.lVal == 0)
printf("Access granted.\n");
else
printf("Access denied.\n");
// Clean up resources.
pStore->Release();
pApp->Release();
pClientContext->Release();
pOperation->Release();
SysFreeString(storeName);
SysFreeString(appName);
SysFreeString(operationName);
SysFreeString(objectName);
VariantClear(&myVar);
VariantClear(&varOperationIdArray);
VariantClear(&varOperationId);
VariantClear(&varResultsArray);
VariantClear(&varResult);
CoUninitialize();
}
void MyHandleError(char *s)

{
printf("An error occurred in running the program.\n");
printf("%s\n",s);
printf("Error number %x\n.",GetLastError());
printf("Program terminating.\n");
exit(1);
}
Authorization policy stores that are stored in Active Directory support delegation of administration.
Administration can be delegated to users and groups at the store, application, or scope level.
At each level, there is a list of administrators and readers. Administrators of a store, application, or scope can
read and modify the policy store at the delegated level. Readers can read the policy store at the delegated level
but cannot modify the store.
A user or group that is either an administrator or a reader of an application must also be added as a delegated
user of the policy store that contains that application. Similarly, a user or group that is an administrator or a
reader of a scope must be added as a delegated user of the application that contains that scope.
For example, to delegate administration of a scope, first add the user or group to the list of delegated users of
the store that contains the scope by calling the IAzAuthorizationStore::AddDelegatedPolicyUser method.
Then add the user or group to the list of delegated users of the application that contains the scope by calling the
IAzApplication::AddDelegatedPolicyUser method. Finally, add the user or group to the list of administrators
of the scope by calling the IAzScope::AddPolicyAdministrator method.
XML-based policy stores do not support delegation at any level.
A scope within an authorization store that is stored in Active Directory cannot be delegated if the scope contains
task definitions that include authorization rules or role definitions that include authorization rules.
The following example shows how to delegate administration of an application. The example assumes that there
is an existing Active Directory authorization policy store at the specified location, that this policy store contains
an application named Expense, and that this application contains no tasks with business rule scripts.
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0502
#endif
#include <stdio.h>
#include <objbase.h>
void main(void)
{
HRESULT hr;
BSTR userName = NULL;
VARIANT myVar;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);
// Create null VARIANT for parameters.

myVar.vt = VT_NULL;
// Allocate a string for the distinguished name of the

// Active Directory store.
if(!(storeName = SysAllocString
(L"msldap://CN=MyAzStore,CN=Program Data,DC=authmanager,DC=com")))

hr = pStore->Initialize
(AZ_AZSTORE_FLAG_MANAGE_STORE_ONLY, storeName, myVar);

// Add a delegated policy user to the store.

if (!(userName = SysAllocString(L"ExampleDomain\\UserName")))
MyHandleError("Could not allocate username string.");
hr = pStore->AddDelegatedPolicyUserName(userName, myVar);
MyHandleError
("Could not add user to store as delegated policy user.");
// Add the user as an administrator of the application.

hr = pApp->AddPolicyAdministratorName(userName, myVar);
MyHandleError
("Could not add user to application as administrator.");
pStore->Release();
pApp->Release();
SysFreeString(userName);
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}
Supporting Tasks for Authorization in C++
The following tasks support the main tasks listed in Using Authorization in C++.
Creating an Authorization Policy Store in C++ Create an authorization policy before or during the
installation of an application.
Establishing a Client Context with Authorization Manager in Create a client context with a handle to a token, a domain
C++ and user name, or a string representation of the security
identifier (SID) of the client.
Qualifying Access with Business Logic in C++ Provide run-time logic for checking access.
Defining Permissions with ACLs in C++ Define which clients have access to which resources by
creating and modifying the ACLs associated with those
resources and by enabling and disabling client privileges.
Establishing a Client Context from a SID in C++ Identify a user, group, or computer account. Use SIDs to
check access rights to resources.
Verifying Client Access with ACLs in C++ Check the access rights that a security descriptor allows for a
client.
Finding the Owner of a File Object in C++ Find and print the name of the owner of a file.
Taking Object Ownership in C++ Change the DACL of a file object by taking ownership of that
object.
Creating an Authorization Policy Store in C++
Create an authorization policy before or during the installation of an application.

When you use the Authorization Manager API to create an authorization policy, follow the instructions provided
in the following topics.
Creating an Authorization Policy Store Object in C++ An authorization policy store contains information about the
security policy of an application or group of applications. The
information includes the applications, operations, tasks,
users, and groups of users associated with the store.
Creating an Application Object in C++ An authorization policy store contains authorization policy
information for one or more applications. For each
application that uses that policy store, you must create an
IAzApplication object and save it to a policy store.
Defining Operations in C++ In Authorization Manager, an operation is a low-level

function or method of an application.
Grouping Operations into Tasks in C++ In Authorization Manager, a task is a high-level action that
users of an application need to complete. Tasks are made up
of operations, which are low-level functions and methods of
the application.
Grouping Tasks into Roles in C++ In Authorization Manager, a role represents a category of
users and the tasks those users are authorized to perform.
Defining Groups of Users in C++ In Authorization Manager, an IAzApplicationGroup object

represents a group of users. Roles can then be assigned to
this group of users collectively.
Adding Users to an Application Group in C++ In Authorization Manager, an application group is a group of
users and user groups. An application group can contain
other application groups, so groups of users can be nested.
Creating an Authorization Policy Store Object in
C++
An authorization policy store contains information about the security policy of an application or group of
applications. The information includes the applications, operations, tasks, users, and groups of users associated
with the store. When an application that uses Authorization Manager initializes, it loads this information from
the store. The authorization policy store must be located on a trusted system because administrators on that
system have a high degree of access to the store.
Authorization Manager supports storing authorization policy either in the Active Directory directory service or
in an XML file as shown in the following examples. In the Authorization Manager API, an authorization policy
store is represented by an AzAuthorizationStore object. The examples show how to create an
AzAuthorizationStore object for an Active Directory store and an XML store.
Creating an Active Directory Store
Creating a SQL Server Store
Creating an XML Store

To use Active Directory to store the authorization policy, the domain must be in the Windows Ser ver 2003
domain functional level. The authorization policy store cannot be located in a Non-Domain Naming Context
(also called an application partition). It is recommended that the store be located in the Program Data
container under a new organizational unit created specifically for the authorization policy store. It is also
recommended that the store be located within the same local area network as application servers that run
applications that use the store.
The following example shows how to create an AzAuthorizationStore object that represents an authorization
policy store in Active Directory. The example assumes that there is an existing Active Directory organizational
unit named Program Data in a domain named authmanager.com.
#pragma comment(lib, "duser.lib")
#endif
#include <stdio.h>
void main(void){
HRESULT hr;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);
// Create a null VARIANT for function parameters.

VARIANT myVar;
VariantInit(&myVar);
// Allocate a string for the distinguished name of the

// Active Directory store.
(L"msldap://CN=MyAzStore,CN=Program Data,DC=authmanager,DC=com")))
// Initialize the store in Active Directory. Use the

// AZ_AZSTORE_FLAG_CREATE flag.
hr = pStore->Initialize(AZ_AZSTORE_FLAG_CREATE, storeName, myVar);
// Call the submit method to save changes to the new store.

hr = pStore->Submit(0, myVar);
MyHandleError("Could not save data to the store.");
pStore->Release();
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}

Authorization Manager supports creating a Microsoft SQL Server–based authorization policy store. To create a
SQL Server–based authorization store, use a URL that begins with the prefix MSSQL:// . The URL must contain a
valid SQL connection string, a database name, and the name of the authorization policy store:
**MSSQL://ConnectionString /DatabaseName /**PolicyStoreName.
If the instance of SQL Server does not contain the specified Authorization Manager database, Authorization
Manager creates a new database with that name.
NOTE
Connections to a SQL Server store are not encrypted unless you explicitly set up SQL encryption for the connection or set
up encryption of the network traffic that uses Internet Protocol Security (IPsec).
policy store in a SQL Server database.
#endif
#include <stdio.h>
void main(void){
HRESULT hr;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);
VARIANT myVar;
myVar.vt = VT_NULL;
// Allocate a string for the SQL Server store.

(L"MSSQL://Driver={SQL Server};Server={AzServer};/AzDB/MyStore")))
// Initialize the store. Use the


pStore->Release();
CoUninitialize();
}

{
printf("%s\n",s);
printf("%s\n",s);
exit(1);
}

Authorization Manager supports creating an authorization policy store in XML format. The XML store can be
located on the same computer where the application runs, or it can be stored remotely. Editing the XML file
directly is not supported. Use the Authorization Manager MMC snap-in or the Authorization Manager API to edit
the policy store.
Authorization Manager does not support delegating administration of an XML policy store. For information
about delegation, see Delegating the Defining of Permissions in C++.
policy store in an XML file.
#endif
#include <stdio.h>
void main(void){
HRESULT hr;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);
VARIANT myVar;
myVar.vt = VT_NULL;
// Allocate a string for the distinguished name of the XML store.

if(!(storeName = SysAllocString(L"msxml://C:\\MyStore.xml")))
// Initialize the store in an XML file. Use the


pStore->Release();
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}
An authorization policy store contains authorization policy information for one or more applications. For each
application that uses that policy store, you must create an IAzApplication object and save it to a policy store.
The following example shows how to create an IAzApplication object that represents an application and how
to add the IAzApplication object to the authorization policy store the application uses. The example assumes
that there is an existing XML policy store named MyStore.xml in the root directory of drive C.
#endif
#include <stdio.h>
void main(void){
HRESULT hr;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);

VARIANT myVar;
// Allocate a string for the name of the store.

if(!(storeName = SysAllocString(L"msxml://c:\\MyStore.xml")))
// Initialize the existing store.

hr = pStore->Initialize(AZ_AZSTORE_FLAG_MANAGE_STORE_ONLY,
storeName, myVar);

MyHandleError("Could not allocate application name string");
hr = pStore->CreateApplication(appName, myVar, &pApp);
MyHandleError("Could not create application.");
// Save changes to the store.

hr = pApp->Submit(0, myVar);
MyHandleError("Could not save changes to store.");
pStore->Release();
pApp->Release();
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}
In Authorization Manager, an operation is a low-level function or method of an application. These operations are
grouped together as tasks. Users of the application request permission to complete tasks. An operation is
represented by an IAzOperation object. For more information about operations, see Operations and Tasks.
The following example shows how to define operations in an authorization policy store. The example assumes
that there is an existing XML policy store named MyStore.xml in the root directory of drive C, and that this store
contains an application named Expense.
#endif
#include <stdio.h>
void main(void){
IAzOperation* pOp = NULL;
HRESULT hr;
BSTR opName = NULL;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);

VARIANT myVar;


storeName, myVar);

// Create operations.
// Create first operation.

if (!(opName = SysAllocString(L"RetrieveForm")))
hr = pApp->CreateOperation(opName, myVar, &pOp);
MyHandleError("Could not create operation.");
// Set the OperationID property.

hr = pOp->put_OperationID(1);
MyHandleError("Could not set operation ID.");
// Save the operation to the store.

hr = pOp->Submit(0, myVar);
MyHandleError("Could not save operation.");
SysFreeString(opName);
// Create second operation.

if (!(opName = SysAllocString(L"EnqueRequest")))


// Create third operation.

if (!(opName = SysAllocString(L"DequeRequest")))


// Create fourth operation.

if (!(opName = SysAllocString(L"UseFormControl")))


// Create fifth operation.

if (!(opName = SysAllocString(L"MarkFormApproved")))


// Create sixth operation.

if (!(opName = SysAllocString(L"SendApprovalNotify")))


pStore->Release();
pApp->Release();
pOp->Release();
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}
In Authorization Manager, a task is a high-level action that users of an application need to complete. Tasks are
made up of operations, which are low-level functions and methods of the application. A task is then assigned to
those roles that must perform that task. A task is represented by an IAzTask object. For more information about
operations and tasks, see Operations and Tasks.
The following example shows how to group operations to create a task. The example assumes that there is an
existing XML policy store named MyStore.xml in the root directory of drive C, that this store contains an
application named Expense, and that this application contains operations defined in the topic Defining
Operations in C++.
#endif
#include <stdio.h>
void main(void){
IAzTask* pTask = NULL;
HRESULT hr;
BSTR taskName = NULL;
BSTR opName = NULL;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);

VARIANT myVar;


storeName, myVar);

// Create a task object.

if (!(taskName = SysAllocString(L"Submit Expense")))
MyHandleError("Could not allocate task name string.");
hr = pApp->CreateTask(taskName, myVar, &pTask);
MyHandleError("Could not create task.");
// Add operations to the task.

if (!(opName = SysAllocString(L"RetrieveForm")))
hr = pTask->AddOperation(opName, myVar);
MyHandleError("Could not add 1st operation to the task.");
if (!(opName = SysAllocString(L"EnqueRequest")))
MyHandleError("Could not add 2nd operation to the task.");
if (!(opName = SysAllocString(L"UseFormControl")))
MyHandleError("Could not add 3rd operation to the task.");
// Save information to the store.

hr = pTask->Submit(0, myVar);
MyHandleError("Could not save task data to the store.");
pStore->Release();
pApp->Release();
pTask->Release();
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}
In Authorization Manager, a role represents a category of users and the tasks those users are authorized to
perform. Tasks are grouped together and assigned to a role definition, which is represented by an IAzTask
object with its IsRoleDefinition property set to TRUE . The role definition can then be assigned to an IAzRole
object, and users or groups of users are then assigned to that object. For more information about tasks and
roles, see Roles.
The following example shows how to assign tasks to a role definition, create a role object, and assign the role
definition to the role object. The example assumes that there is an existing XML policy store named MyStore.xml
in the root directory of drive C, that this store contains an application named Expense, and that this application
contains tasks named Submit Expense and Approve Expense.
#endif
#include <stdio.h>
void main(void){
IAzTask* pTaskRoleDef = NULL;
IAzRole* pRole = NULL;
HRESULT hr;
BSTR taskNameSubmit = NULL;
BSTR taskNameApprove = NULL;
BSTR roleDefName = NULL;
BSTR roleName = NULL;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);

VARIANT myVar;
// Allocate a string for the name of the policy store.
storeName = SysAllocString(L"msxml://c:\\myStore.xml");
if (!storeName)

hr = pStore->Initialize(AZ_AZSTORE_FLAG_MANAGE_STORE_ONLY, storeName, myVar);

appName = SysAllocString(L"Expense");
if (!appName)
// Allocate strings for the task names.

taskNameSubmit = SysAllocString(L"Submit Expense");
if (!taskNameSubmit)
MyHandleError("Could not allocate first task name string.");
taskNameApprove = SysAllocString(L"Approve Expense");

if (!taskNameApprove)
MyHandleError("Could not allocate second task name string.");
// Create a third task object to act as a role definition.

roleDefName = SysAllocString(L"Expense Admin");
if (!roleDefName)
MyHandleError("Could not allocate role definition name.");
hr = pApp->CreateTask(roleDefName, myVar, &pTaskRoleDef);
MyHandleError("Could not create role definition.");
// Set the IsRoleDefinition property of pTaskRoleDef to TRUE.

hr = pTaskRoleDef->put_IsRoleDefinition(true);
MyHandleError("Could not set role definition property.");
// Add two tasks to the role definition.

hr = pTaskRoleDef->AddTask(taskNameSubmit, myVar);
MyHandleError("Could not add submit task.");
hr = pTaskRoleDef->AddTask(taskNameApprove, myVar);
MyHandleError("Could not add approve task.");

hr = pTaskRoleDef->Submit(0, myVar);
MyHandleError("Could not save task data to the store.");
// Create an IAzRole object.

roleName = SysAllocString(L"Expense Administrator");
if (!roleName)
MyHandleError("Could not allocate role name.");
hr = pApp->CreateRole(roleName, myVar, &pRole);
MyHandleError("Could not create a role object.");
// Add the role definition to the role object.

hr = pRole->AddTask(roleDefName, myVar);
MyHandleError("Could add role definition to the role.");

hr = pRole->Submit(0, myVar);
MyHandleError("Could not save role data to the store.");
pStore->Release();
pApp->Release();
pTaskRoleDef->Release();
pRole->Release();
SysFreeString(taskNameSubmit);
SysFreeString(taskNameApprove);
SysFreeString(roleDefName);
SysFreeString(roleName);
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}
In Authorization Manager, an IAzApplicationGroup object represents a group of users. Roles can then be
assigned to this group of users collectively. An IAzApplicationGroup object can also include other
IAzApplicationGroup objects as members. For more information about application groups, see Users and
Groups.
A group can be defined either by explicit lists of members and nonmembers, or by a Lightweight Directory
Access Protocol (LDAP) query. The following examples show how to create each type of application group:
Creating a Basic Group
Creating an LDAP Query Group

A basic application group is defined by the members included in the Members and NonMembers properties
of the IAzApplicationGroup object that represents the group. Users and groups listed in the Members
property are included in the application group, and users and groups listed in the NonMembers property are
excluded from the application group. Being listed in the NonMembers property supersedes being listed in the
Members property.
The following example shows how to create a basic application group and add all local users as members of that
group. The example assumes that there is an existing XML policy store named MyStore.xml in the root directory
of drive C.
#endif
#include <stdio.h>
void main(void){
IAzApplicationGroup* pAppGroup = NULL;
HRESULT hr;
BSTR groupName = NULL;
BSTR sidString = NULL;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);

VARIANT myVar;


storeName, myVar);
// Create an application group object.

if (!(groupName = SysAllocString(L"Trusted Users")))
MyHandleError("Could not allocate group name string");
hr = pStore->CreateApplicationGroup(groupName, myVar, &pAppGroup);
MyHandleError("Could not create application group.");
// Add well-known SID for all local users to the group.

if (!(sidString = SysAllocString(L"S-1-2-0")))
MyHandleError("Could not allocate SID string name");
hr = pAppGroup->AddMember(sidString, myVar);
MyHandleError("Could not add member to group");

pAppGroup->Submit(0, myVar);
pStore->Release();
pAppGroup->Release();
SysFreeString(groupName);
SysFreeString(sidString);
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}

An LDAP query group has a membership defined by the query contained in the value of its LdapQuer y
property.
The following example shows how to create an LDAP query application group and add all users as members of
that group. The example assumes that there is an existing XML policy store named MyStore.xml in the root
directory of drive C.
#endif
#include <stdio.h>
void main(void){
HRESULT hr;
BSTR ldapString = NULL;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);
VARIANT myVar;
myVar.vt = VT_NULL;


storeName, myVar);
// Create an application group object.

if (!(groupName = SysAllocString(L"Trusted Users3")))
MyHandleError("Could not allocate group name string");
hr = pStore->CreateApplicationGroup(groupName, myVar, &pAppGroup);
// Set the Type property to AZ_GROUPTYPE_LDAP_QUERY.

hr = pAppGroup->put_Type(AZ_GROUPTYPE_LDAP_QUERY);
MyHandleError("Error changing type to LDAP query");
// Add LDAP query for all users.

if (!(ldapString =
SysAllocString(L"(&(objectCategory=person)(objectClass=user))")))
MyHandleError("Could not allocate LDAP query string");
hr = pAppGroup->put_LdapQuery(ldapString);
MyHandleError("Could not add query to group");

hr = pAppGroup->Submit(0, myVar);
MyHandleError("Could not save changes to store.");
pStore->Release();
SysFreeString(ldapString);
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}
In Authorization Manager, an application group is a group of users and user groups. An application group can
contain other application groups, so groups of users can be nested. An application group is represented by an
IAzApplicationGroup object.
To allow members of an application group to perform a task or set of tasks, assign that application group to a
role that contains those tasks. Roles are represented by IAzRole objects.
The following example shows how to create an application group, add a user as a member of the application
group, and assign the application group to an existing role. The example assumes that there is an existing XML
policy store named MyStore.xml in the root directory of drive C, that this store contains an application named
Expense, and that this application contains a role named Expense Administrator.
#endif
#include <stdio.h>
void main(void){
IAzRole* pRole = NULL;
HRESULT hr;
BSTR userName = NULL;
BSTR roleName = NULL;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);

VARIANT myVar;


storeName, myVar);

// Allocate a string for the group name.

if (!(groupName = SysAllocString(L"Approvers")))
MyHandleError("Could not allocate group name string.");
// Create an IAzApplicationGroup object.

hr = pApp->CreateApplicationGroup(groupName, myVar, &pAppGroup);
// Add a member to the group.

// Replace with valid domain and user name.
if (!(userName = SysAllocString(L"domain\\username")))
MyHandleError("Could not allocate user name string.");
hr = pAppGroup->AddMemberName(userName, myVar);
MyHandleError("Could not add user to application group.");

MyHandleError("Could not save group information.");
// Open an IAzRole object.

if (!(roleName = SysAllocString(L"Expense Administrator")))
MyHandleError("Could not allocate role name string.");
hr = pApp->OpenRole(roleName, myVar, &pRole);

MyHandleError("Could not open role object.");
// Add the group to the role.

hr = pRole->AddAppMember(groupName, myVar);
MyHandleError("Could not add the application group to the role.");

hr = pRole->Submit(0, myVar);
MyHandleError("Could not save role data to the store.");
pStore->Release();
pApp->Release();
pRole->Release();
SysFreeString(roleName);
SysFreeString(userName);
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}
Establishing a Client Context with Authorization
Manager in C++
In Authorization Manager, an application determines whether a client is given access to an operation by calling
the AccessCheck method of an IAzClientContext object, which represents a client context.
An application can create a client context with a handle to a token, a domain and user name, or a string
representation of the security identifier (SID) of the client.
Use the InitializeClientContextFromToken , InitializeClientContextFromName , and
InitializeClientContextFromStringSid methods of the IAzApplication interface to create a client context.
The following example shows how to create an IAzClientContext object from a client token. The example
assumes that there is an existing XML policy store named MyStore.xml in the root directory of drive C, that this
store contains an application named Expense, and that the variable hToken contains a valid client token.
void ExpenseCheck(ULONGLONG hToken)

{
HRESULT hr;
// Create a null VARIANT for function parameters.

VARIANT myVar;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);



&pClientContext);
// Use the client context as needed.
pStore->Release();
pApp->Release();
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}
Use business rule scripts to provide run-time logic for checking access. For more information about business
rules, see Business Rules.
To assign a business rule to a task, first set the BizRuleLanguage property of the IAzTask object that
represents the task. The script must be in Visual Basic Scripting Edition or JScript. After you specify the script
language, set the BizRule property of the IAzTask object with a string representation of the script.
When checking access for an operation contained by a task that has an associated business rule, the application
must create two arrays of the same size to be passed as the varParameterNames and varParameterValues
parameters of the IAzClientContext::AccessCheck method. For information about creating a client context,
see Establishing a Client Context with Authorization Manager in C++.
The IAzClientContext::AccessCheck method creates an AzBizRuleContext object that is passed to the
business rule script. The script then sets the BusinessRuleResult property of the AzBizRuleContext object. A
value of TRUE indicates that access is granted, and a value of FALSE indicates that access is denied.
A business rule script cannot be assigned to an IAzTask object contained by a delegated IAzScope object.
The following example shows how to use a business rule script to check a client's access to an operation. The
example assumes that there is an existing XML policy store named MyStore.xml in the root directory of drive C,
that this store contains an application named Expense, a task named Submit Expense, and an operation named
UseFormControl, and that the variable hToken contains a valid client token.
#include <stdio.h>
void CheckAccess(ULONGLONG hToken)

// Void CheckAccess().
{
IAzOperation* pOperation = NULL;
IAzTask* pTask = NULL;
BSTR operationName = NULL;
BSTR objectName = NULL;
BSTR taskName = NULL;
BSTR bizRule = NULL;
BSTR bizRuleLanguage = NULL;
LONG operationID;
HRESULT hr;
VARIANT varOperationIdArray;
VARIANT varOperationId;
VARIANT varResultsArray;
VARIANT varResult;
VARIANT varParamName;
VARIANT varParamValue;
VARIANT nameString;
VARIANT expenseAmount;
VARIANT myVar;
// Initialize COM.

NULL,
CLSCTX_ALL,
/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/
(void**)&pStore);




&pClientContext);
// Create a business rule for the Submit Expense task.
// Open the Submit Expense task.

if(!(taskName = SysAllocString(L"Submit Expense")))
MyHandleError("Could not allocate task name string.");
hr = pApp->OpenTask(taskName, myVar, &pTask);
// Assign a business rule to the task.
// Set the business rule language to VBScript.

if(!(bizRuleLanguage = SysAllocString(L"VBScript")))
MyHandleError("Could not allocate business rule language string.");
hr = pTask->put_BizRuleLanguage(bizRuleLanguage);
MyHandleError("Could not allocate business rule language string.");
// Create a BSTR with the business rule code.

if(!(bizRule = SysAllocString(
L"Dim Amount \n"
L"AzBizRuleContext.BusinessRuleResult = FALSE \n"
L"Amount = AzBizRuleContext.GetParameter(\"ExpAmount\") \n"
L"if Amount < 500 then AzBizRuleContext.BusinessRuleResult = TRUE"
)))
MyHandleError("Could not allocate business rule string.");
hr = pTask->put_BizRule(bizRule);
MyHandleError("Could not assign business rule.");
MyHandleError("Could not assign business rule.");
// Save the new task data to the store.

hr = pTask->Submit(0, myVar);
MyHandleError("Could not save task data.");
// Set up parameters for access check.
// Set up the object name.

if (!(operationName = SysAllocString(L"UseFormControl")))
// Get the ID of the operation to check.

hr = pApp->OpenOperation(operationName, myVar, &pOperation);
MyHandleError("Could not open operation.");
hr = pOperation->get_OperationID(&operationID);
MyHandleError("Could not get operation ID.");
// Create a SAFEARRAY for the operation ID.

varOperationIdArray.parray = SafeArrayCreateVector(VT_VARIANT, 0, 1);
// Create an array of indexes.

LONG* index = new LONG[1];
index[0] = 0;
// Populate a SAFEARRAY with the operation ID.

varOperationId.vt = VT_I4;
varOperationId.lVal = operationID;
hr = SafeArrayPutElement(varOperationIdArray.parray, index,
&varOperationId);
MyHandleError("Could not put operation ID in array.");
// Set SAFEARRAY type.

varOperationIdArray.vt = VT_ARRAY | VT_VARIANT;
// Create business rule parameters.
// Create array of business rule parameter names.

varParamName.parray = SafeArrayCreateVector(VT_VARIANT, 0, 1);
varParamName.vt = VT_ARRAY | VT_VARIANT;
nameString.vt = VT_BSTR;
nameString.bstrVal = SysAllocString(L"ExpAmount");
SafeArrayPutElement(varParamName.parray, index, &nameString);
// Create array of business rule parameter values.

varParamValue.parray = SafeArrayCreateVector(VT_VARIANT, 0, 1);
varParamValue.vt = VT_ARRAY | VT_VARIANT;
expenseAmount.vt = VT_I4;
expenseAmount.lVal = 100; // access denied if 500 or more
SafeArrayPutElement(varParamValue.parray, index, &expenseAmount);
if(!(objectName = SysAllocString(L"UseFormControl")))//used for audit

MyHandleError("Could not allocate object name string.");
// Check access.
hr = pClientContext->AccessCheck(
objectName,
myVar, // use default application scope
varOperationIdArray,
varParamName,
varParamValue,
myVar,
myVar,
myVar,
&varResultsArray);
MyHandleError("Could not complete access check.");
hr = SafeArrayGetElement(varResultsArray.parray, index, &varResult);

MyHandleError("Could not get result from array.");
if (varResult.lVal == 0)
printf("Access granted.\n");
else
printf("Access denied.\n");
pStore->Release();
pApp->Release();
pOperation->Release();
pTask->Release();
SysFreeString(operationName);
SysFreeString(objectName);
SysFreeString(taskName);
SysFreeString(bizRule);
SysFreeString(bizRuleLanguage);
VariantClear(&varOperationIdArray);
VariantClear(&varOperationId);
VariantClear(&varResultsArray);
VariantClear(&varResult);
VariantClear(&varParamName);
VariantClear(&varParamValue);
VariantClear(&nameString);
VariantClear(&expenseAmount);
CoUninitialize();
}

{
printf("%s\n",s);
exit(1);
}
Defining Permissions with ACLs in C++
You can use ACLs to control access to protected resources. Define which clients have access to which resources
by creating and modifying the ACLs associated with those resources and by enabling and disabling client
privileges.
Modifying the ACLs of an Object in C++ Add or remove an access control entry (ACE) to the
discretionary access control list (DACL) of an object.
Creating a Security Descriptor for a New Object in C++ Create a security descriptor for a new object.
Controlling Child Object Creation in C++ Use the DACL of a container object to control who is allowed
to create child objects within the container.
Enabling and Disabling Privileges in C++ Allow or disallow a process to perform system-level actions.
The following example adds an access control entry (ACE) to the discretionary access control list (DACL) of an
object.
The AccessMode parameter determines the type of new ACE and how the new ACE is combined with any
existing ACEs for the specified trustee. Use the GRANT_ACCESS, SET_ACCESS, DENY_ACCESS, or
REVOKE_ACCESS flags in the AccessMode parameter. For information about these flags, see ACCESS_MODE .
Similar code can be used to work with a system access control list (SACL). Specify
SACL_SECURITY_INFORMATION in the GetNamedSecurityInfo and SetNamedSecurityInfo functions to get
and set the SACL for the object. Use the SET_AUDIT_SUCCESS, SET_AUDIT_FAILURE, and REVOKE_ACCESS flags
in the AccessMode parameter. For information about these flags, see ACCESS_MODE .
Use this code to add an object-specific ACE to the DACL of a directory service object. To specify the GUIDs in an
object-specific ACE, set the TrusteeForm parameter to TRUSTEE_IS_OBJECTS_AND_NAME or
TRUSTEE_IS_OBJECTS_AND_SID and set the pszTrustee parameter to be a pointer to an OBJECTS_AND_NAME
or OBJECTS_AND_SID structure.
This example uses the GetNamedSecurityInfo function to get the existing DACL. Then it fills an
EXPLICIT_ACCESS structure with information about an ACE and uses the SetEntriesInAcl function to merge
the new ACE with any existing ACEs in the DACL. Finally, the example calls the SetNamedSecurityInfo function
to attach the new DACL to the security descriptor of the object.
#include <stdio.h>
DWORD AddAceToObjectsSecurityDescriptor (
LPTSTR pszObjName, // name of object
SE_OBJECT_TYPE ObjectType, // type of object
LPTSTR pszTrustee, // trustee for new ACE
TRUSTEE_FORM TrusteeForm, // format of trustee structure
DWORD dwAccessRights, // access mask for new ACE
ACCESS_MODE AccessMode, // type of ACE
DWORD dwInheritance // inheritance flags for new ACE
)
{
DWORD dwRes = 0;
PACL pOldDACL = NULL, pNewDACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;
if (NULL == pszObjName)
return ERROR_INVALID_PARAMETER;
// Get a pointer to the existing DACL.
dwRes = GetNamedSecurityInfo(pszObjName, ObjectType,

DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDACL, NULL, &pSD);
if (ERROR_SUCCESS != dwRes) {
printf( "GetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}
// Initialize an EXPLICIT_ACCESS structure for the new ACE.
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = dwAccessRights;
ea.grfAccessMode = AccessMode;
ea.grfInheritance= dwInheritance;
ea.Trustee.TrusteeForm = TrusteeForm;
ea.Trustee.ptstrName = pszTrustee;
// Create a new ACL that merges the new ACE

// into the existing DACL.
dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);

printf( "SetEntriesInAcl Error %u\n", dwRes );
goto Cleanup;
}
// Attach the new ACL as the object's DACL.
dwRes = SetNamedSecurityInfo(pszObjName, ObjectType,

DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDACL, NULL);
printf( "SetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}
Cleanup:
if(pSD != NULL)
LocalFree((HLOCAL) pSD);
if(pNewDACL != NULL)
LocalFree((HLOCAL) pNewDACL);
return dwRes;
}
Creating a Security Descriptor for a New Object in
C++
The following example creates a security descriptor for a new registry key using the following process. Similar
code can be used to create a security descriptor for other object types.
The example fills an array of EXPLICIT_ACCESS structures with the information for two ACEs. One ACE
allows read access to everyone; the other ACE allows full access to administrators.
The EXPLICIT_ACCESS array is passed to the SetEntriesInAcl function to create a DACL for the security
descriptor.
After allocating memory for the security descriptor, the example calls the InitializeSecurityDescriptor and
SetSecurityDescriptorDacl functions to initialize the security descriptor and attach the DACL.
The security descriptor is then stored in a SECURITY_ATTRIBUTES structure and passed to the
RegCreateKeyEx function, which attaches the security descriptor to the newly created key.
#pragma comment(lib, "advapi32.lib")
#include <stdio.h>
#include <aclapi.h>
#include <tchar.h>
void main()
{
DWORD dwRes, dwDisposition;

PSID pEveryoneSID = NULL, pAdminSID = NULL;
PACL pACL = NULL;
EXPLICIT_ACCESS ea[2];
SID_IDENTIFIER_AUTHORITY SIDAuthWorld =
SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
SECURITY_ATTRIBUTES sa;
LONG lRes;
HKEY hkSub = NULL;
// Create a well-known SID for the Everyone group.

if(!AllocateAndInitializeSid(&SIDAuthWorld, 1,
SECURITY_WORLD_RID,
0, 0, 0, 0, 0, 0, 0,
&pEveryoneSID))
{
_tprintf(_T("AllocateAndInitializeSid Error %u\n"), GetLastError());
goto Cleanup;
}
// Initialize an EXPLICIT_ACCESS structure for an ACE.

// The ACE will allow Everyone read access to the key.
ZeroMemory(&ea, 2 * sizeof(EXPLICIT_ACCESS));
ea[0].grfAccessPermissions = KEY_READ;
ea[0].grfAccessMode = SET_ACCESS;
ea[0].grfInheritance= NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR) pEveryoneSID;
// Create a SID for the BUILTIN\Administrators group.
if(! AllocateAndInitializeSid(&SIDAuthNT, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdminSID))
{
_tprintf(_T("AllocateAndInitializeSid Error %u\n"), GetLastError());
goto Cleanup;
}
// Initialize an EXPLICIT_ACCESS structure for an ACE.

// The ACE will allow the Administrators group full access to
// the key.
ea[1].grfAccessPermissions = KEY_ALL_ACCESS;
ea[1].grfInheritance= NO_INHERITANCE;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR) pAdminSID;
// Create a new ACL that contains the new ACEs.

dwRes = SetEntriesInAcl(2, ea, NULL, &pACL);
if (ERROR_SUCCESS != dwRes)
{
_tprintf(_T("SetEntriesInAcl Error %u\n"), GetLastError());
goto Cleanup;
}
// Initialize a security descriptor.

pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
if (NULL == pSD)
{
_tprintf(_T("LocalAlloc Error %u\n"), GetLastError());
goto Cleanup;
}
if (!InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION))
{
_tprintf(_T("InitializeSecurityDescriptor Error %u\n"),
GetLastError());
goto Cleanup;
}
// Add the ACL to the security descriptor.

if (!SetSecurityDescriptorDacl(pSD,
TRUE, // bDaclPresent flag
pACL,
FALSE)) // not a default DACL
{
_tprintf(_T("SetSecurityDescriptorDacl Error %u\n"),
GetLastError());
goto Cleanup;
}
// Initialize a security attributes structure.

sa.nLength = sizeof (SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = pSD;
sa.bInheritHandle = FALSE;
// Use the security attributes to set the security descriptor

// when you create a key.
lRes = RegCreateKeyEx(HKEY_CURRENT_USER, _T("mykey"), 0, _T(""), 0,
KEY_READ | KEY_WRITE, &sa, &hkSub, &dwDisposition);
_tprintf(_T("RegCreateKeyEx result %u\n"), lRes );
Cleanup:
Cleanup:
if (pEveryoneSID)
FreeSid(pEveryoneSID);
if (pAdminSID)
FreeSid(pAdminSID);
if (pACL)
LocalFree(pACL);
if (pSD)
LocalFree(pSD);
if (hkSub)
RegCloseKey(hkSub);
return;
}
You can use the DACL of a container object to control who is allowed to create child objects within the container.
This can be important because the creator of an object is typically assigned as the object's owner, and an object's
owner can control access to the object.
The various types of container objects have specific access rights that control the ability to create child objects.
For example, a thread must have KEY_CREATE_SUB_KEY access to a registry key to create a subkey under the
key. The DACL of a registry key can contain ACEs that allow or deny this access right. Similarly, NTFS supports
the FILE_ADD_FILE and FILE_ADD_SUBDIRECTORY access rights for controlling the ability to create files or
directories in a directory.
The ADS_RIGHT_DS_CREATE_CHILD access right controls the creation of child objects in a directory service (DS)
object. However, DS objects can contain different types of objects, so the system supports a finer granularity of
control. You can use object-specific ACEs to allow or deny the right to create a specified type of child object. You
can allow a user to create one type of child object while preventing the user from creating other types of child
objects.
The following example uses the SetEntriesInAcl function to add an object-specific ACE to an ACL. The ACE
grants permission to create a specified type of child object. The grfAccessPermissions member of the
EXPLICIT_ACCESS structure is set to ADS_RIGHT_DS_CREATE_CHILD to indicate that the ACE controls the child
object creation. The ObjectsPresent member of the OBJECTS_AND_SID structure is set to
ACE_OBJECT_TYPE_PRESENT to indicate that the ObjectTypeGuid member contains a valid GUID. The GUID
identifies a type of child object whose creation is being controlled.
In the following example, pOldDACL must be a valid pointer to an existing ACL structure. For information about
how to create an ACL structure for an object, see Creating a Security Descriptor for a New Object in C++.
DWORD dwRes;
PACL pOldDACL = NULL;
PACL pNewDACL = NULL;
GUID guidChildObjectType = GUID_NULL; // GUID of object to control creation of
PSID pTrusteeSID = NULL; // trustee for new ACE
EXPLICIT_ACCESS ea;
OBJECTS_AND_SID ObjectsAndSID;
// pOldDACL must be a valid pointer to an existing ACL structure.
// guidChildObjectType must be the GUID of an object type

// that is a possible child of the object associated with pOldDACL.
// Initialize an OBJECTS_AND_SID structure with object type GUIDs and

// the SID of the trustee for the new ACE.
ZeroMemory(&ObjectsAndSID, sizeof(OBJECTS_AND_SID));
ObjectsAndSID.ObjectsPresent = ACE_OBJECT_TYPE_PRESENT;
ObjectsAndSID.ObjectTypeGuid = guidChildObjectType;
ObjectsAndSID.InheritedObjectTypeGuid = GUID_NULL;
ObjectsAndSID.pSid = (SID *)pTrusteeSID;
// Initialize an EXPLICIT_ACCESS structure for the new ACE.
ea.grfAccessPermissions = ADS_RIGHT_DS_CREATE_CHILD;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_OBJECTS_AND_SID;
ea.Trustee.ptstrName = (LPTSTR) &ObjectsAndSID;
// Create a new ACL that merges the new ACE

// into the existing DACL.
dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);

Enabling a privilege in an access token allows the process to perform system-level actions that it could not
previously. Your application should thoroughly verify that the privilege is appropriate to the type of account,
especially for the following powerful privileges.
P RIVIL EGE C O N STA N T ST RIN G VA L UE DISP L AY N A M E
SE_ASSIGNPRIMARYTOKEN_NAME SeAssignPrimaryTokenPrivilege Replace a process-level token
SE_BACKUP_NAME SeBackupPrivilege Back up files and directories
SE_DEBUG_NAME SeDebugPrivilege Debug programs
SE_INCREASE_QUOTA_NAME SeIncreaseQuotaPrivilege Adjust memory quotas for a process
SE_TCB_NAME SeTcbPrivilege Act as part of the operating system
Before enabling any of these potentially dangerous privileges, determine that functions or operations in your
code actually require the privileges. For example, very few functions in the operating system actually require the
SeTcbPrivilege . For a list of all the available privileges, see Privilege Constants.
The following example shows how to enable or disable a privilege in an access token. The example calls the
LookupPrivilegeValue function to get the locally unique identifier (LUID) that the local system uses to identify
the privilege. Then the example calls the AdjustTokenPrivileges function, which either enables or disables the
privilege that depends on the value of the bEnablePrivilege parameter.
#include <stdio.h>
#pragma comment(lib, "cmcfg32.lib")
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if ( !LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid ) ) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if ( !AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError() );
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege. \n");
return FALSE;
}
return TRUE;
}
Establishing a Client Context from a SID in C++
Use a security identifier (SID) to identify a user, group, or computer account. Use SIDs to check access rights to
resources.
Searching for a SID in an Access Token in C++ Find a SID in an access token.
Converting a Binary SID to String Format in C++ Convert a SID to and from string format.
The following example uses the OpenProcessToken and GetTokenInformation functions to get the group
memberships in an access token. Then it uses the AllocateAndInitializeSid function to create a SID that
identifies the well-known SID of the administrator group for the local computer. Next, it uses the EqualSid
function to compare the well-known SID with the group SIDs from the access token. If the SID is present in the
token, the function checks the attributes of the SID to determine whether it is enabled.
The CheckTokenMembership function should be used to determine whether a specified SID is present and
enabled in an access token. This function eliminates potential misinterpretations of the active group
membership.
#include <stdio.h>
#define MAX_NAME 256
BOOL SearchTokenGroupsForSID (VOID)

{
DWORD i, dwSize = 0, dwResult = 0;
HANDLE hToken;
PTOKEN_GROUPS pGroupInfo;
SID_NAME_USE SidType;
char lpName[MAX_NAME];
char lpDomain[MAX_NAME];
PSID pSID = NULL;
SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
// Open a handle to the access token for the calling process.
if (!OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &hToken ))

{
printf( "OpenProcessToken Error %u\n", GetLastError() );
return FALSE;
}
// Call GetTokenInformation to get the buffer size.
if(!GetTokenInformation(hToken, TokenGroups, NULL, dwSize, &dwSize))

{
dwResult = GetLastError();
if( dwResult != ERROR_INSUFFICIENT_BUFFER ) {
printf( "GetTokenInformation Error %u\n", dwResult );
return FALSE;
}
}
// Allocate the buffer.
pGroupInfo = (PTOKEN_GROUPS) GlobalAlloc( GPTR, dwSize );
// Call GetTokenInformation again to get the group information.
if(! GetTokenInformation(hToken, TokenGroups, pGroupInfo,

dwSize, &dwSize ) )
{
printf( "GetTokenInformation Error %u\n", GetLastError() );
return FALSE;
}
}
if(! AllocateAndInitializeSid( &SIDAuth, 2,

0, 0, 0, 0, 0, 0,
&pSID) )
{
printf( "AllocateAndInitializeSid Error %u\n", GetLastError() );
return FALSE;
}
// Loop through the group SIDs looking for the administrator SID.
for(i=0; i<pGroupInfo->GroupCount; i++)

{
if ( EqualSid(pSID, pGroupInfo->Groups[i].Sid) )
{
// Lookup the account name and print it.
dwSize = MAX_NAME;
if( !LookupAccountSid( NULL, pGroupInfo->Groups[i].Sid,
lpName, &dwSize, lpDomain,
&dwSize, &SidType ) )
{
dwResult = GetLastError();
if( dwResult == ERROR_NONE_MAPPED )
strcpy_s (lpName, dwSize, "NONE_MAPPED" );
else
{
printf("LookupAccountSid Error %u\n", GetLastError());
return FALSE;
}
}
printf( "Current user is a member of the %s\\%s group\n",
lpDomain, lpName );
// Find out whether the SID is enabled in the token.

if (pGroupInfo->Groups[i].Attributes & SE_GROUP_ENABLED)
printf("The group SID is enabled.\n");
else if (pGroupInfo->Groups[i].Attributes &
SE_GROUP_USE_FOR_DENY_ONLY)
printf("The group SID is a deny-only SID.\n");
else
printf("The group SID is not enabled.\n");
}
}
if (pSID)
FreeSid(pSID);
if ( pGroupInfo )
GlobalFree( pGroupInfo );
return TRUE;
}
Converting a Binary SID to String Format in C++
The Conver tSidToStringSid and Conver tStringSidToSid functions convert a security identifier (SID) to and
from string format. For a description of the SID string format, see SID Components.
Verifying Client Access with ACLs in C++
The following example shows how a server could check the access rights that a security descriptor allows for a
client. The example uses the ImpersonateNamedPipeClient function; however, it would work the same using
any of the other impersonation functions. After impersonating the client, the example calls the
OpenThreadToken function to get the impersonation token. Then, it calls the MapGenericMask function to
convert any generic access rights to the corresponding specific and standard rights according to the mapping
specified in the GENERIC_MAPPING structure.
The AccessCheck function checks the requested access rights against the rights allowed for the client in the
DACL of the security descriptor. To check access and generate an entry in the security event log, use the
AccessCheckAndAuditAlarm function.
BOOL ImpersonateAndCheckAccess(
HANDLE hNamedPipe, // handle of pipe to impersonate
PSECURITY_DESCRIPTOR pSD, // security descriptor to check
DWORD dwAccessDesired, // access rights to check
PGENERIC_MAPPING pGeneric, // generic mapping for object
PDWORD pdwAccessAllowed // returns allowed access rights
)
{
HANDLE hToken;
PRIVILEGE_SET PrivilegeSet;
DWORD dwPrivSetSize = sizeof( PRIVILEGE_SET );
BOOL fAccessGranted=FALSE;
// Impersonate the client.
if (! ImpersonateNamedPipeClient(hNamedPipe) )
return FALSE;
// Get an impersonation token with the client's security context.
if (! OpenThreadToken( GetCurrentThread(), TOKEN_ALL_ACCESS,

TRUE, &hToken ))
{
goto Cleanup;
}
// Use the GENERIC_MAPPING structure to convert any

// generic access rights to object-specific access rights.
MapGenericMask( &dwAccessDesired, pGeneric );
// Check the client's access rights.
if( !AccessCheck(
pSD, // security descriptor to check
hToken, // impersonation token
dwAccessDesired, // requested access rights
pGeneric, // pointer to GENERIC_MAPPING
&PrivilegeSet, // receives privileges used in check
&dwPrivSetSize, // size of PrivilegeSet buffer
pdwAccessAllowed, // receives mask of allowed access rights
&fAccessGranted )) // receives results of access check
{
goto Cleanup;
}
Cleanup:
RevertToSelf();
if (hToken != INVALID_HANDLE_VALUE)
CloseHandle(hToken);
return fAccessGranted;
}
The following example uses the GetSecurityInfo and LookupAccountSid functions to find and print the
name of the owner of a file. The file exists in the current working directory on the local server.
#include <stdio.h>
#include <tchar.h>
#include "accctrl.h"
#include "aclapi.h"
int main(void)
{
DWORD dwRtnCode = 0;
PSID pSidOwner = NULL;
BOOL bRtnBool = TRUE;
LPTSTR AcctName = NULL;
LPTSTR DomainName = NULL;
DWORD dwAcctName = 1, dwDomainName = 1;
SID_NAME_USE eUse = SidTypeUnknown;
HANDLE hFile;
// Get the handle of the file object.

hFile = CreateFile(
TEXT("myfile.txt"),
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
// Check GetLastError for CreateFile error code.

if (hFile == INVALID_HANDLE_VALUE) {
DWORD dwErrorCode = 0;
dwErrorCode = GetLastError();
_tprintf(TEXT("CreateFile error = %d\n"), dwErrorCode);
return -1;
}
// Get the owner SID of the file.

dwRtnCode = GetSecurityInfo(
hFile,
SE_FILE_OBJECT,
OWNER_SECURITY_INFORMATION,
&pSidOwner,
NULL,
NULL,
NULL,
&pSD);
// Check GetLastError for GetSecurityInfo error condition.

if (dwRtnCode != ERROR_SUCCESS) {
_tprintf(TEXT("GetSecurityInfo error = %d\n"), dwErrorCode);
return -1;
}
// First call to LookupAccountSid to get the buffer sizes.

bRtnBool = LookupAccountSid(
NULL, // local computer
pSidOwner,
AcctName,
(LPDWORD)&dwAcctName,
DomainName,
(LPDWORD)&dwDomainName,
&eUse);
// Reallocate memory for the buffers.

AcctName = (LPTSTR)GlobalAlloc(
GMEM_FIXED,
dwAcctName);
// Check GetLastError for GlobalAlloc error condition.

if (AcctName == NULL) {
_tprintf(TEXT("GlobalAlloc error = %d\n"), dwErrorCode);
return -1;
}
DomainName = (LPTSTR)GlobalAlloc(
GMEM_FIXED,
dwDomainName);
// Check GetLastError for GlobalAlloc error condition.

if (DomainName == NULL) {
_tprintf(TEXT("GlobalAlloc error = %d\n"), dwErrorCode);
return -1;
// Second call to LookupAccountSid to get the account name.

bRtnBool = LookupAccountSid(
NULL, // name of local or remote computer
pSidOwner, // security identifier
AcctName, // account name buffer
(LPDWORD)&dwAcctName, // size of account name buffer
DomainName, // domain name
(LPDWORD)&dwDomainName, // size of domain name buffer
&eUse); // SID type
// Check GetLastError for LookupAccountSid error condition.

if (bRtnBool == FALSE) {
if (dwErrorCode == ERROR_NONE_MAPPED)
_tprintf(TEXT
("Account owner not found for specified SID.\n"));
else
_tprintf(TEXT("Error in LookupAccountSid.\n"));
return -1;
} else if (bRtnBool == TRUE)
// Print the account name.

// Print the account name.
_tprintf(TEXT("Account owner = %s\n"), AcctName);
return 0;
}
The following example tries to change the DACL of a file object by taking ownership of that object. This will
succeed only if the caller has WRITE_DAC access to the object or is the owner of the object. If the initial attempt
to change the DACL fails, an administrator can take ownership of the object. To give the administrator
ownership, the example enables the SE_TAKE_OWNERSHIP_NAME privilege in the caller's access token, and
makes the local system's Administrators group the owner of the object. If the caller is a member of the
Administrators group, the code will then be able to change the object's DACL.
To enable and disable privileges, this example uses the SetPrivilege sample function described in Enabling and
Disabling Privileges in C++.
#include <stdio.h>
#include <accctrl.h>
#include <aclapi.h>
//Forward declaration of SetPrivilege

BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
) ;
BOOL TakeOwnership(LPTSTR lpszOwnFile)

{
BOOL bRetval = FALSE;
HANDLE hToken = NULL;

PSID pSIDAdmin = NULL;
PSID pSIDEveryone = NULL;
PACL pACL = NULL;
SID_IDENTIFIER_AUTHORITY SIDAuthWorld =
SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
const int NUM_ACES = 2;
EXPLICIT_ACCESS ea[NUM_ACES];
DWORD dwRes;
// Specify the DACL to use.

// Create a SID for the Everyone group.
if (!AllocateAndInitializeSid(&SIDAuthWorld, 1,
SECURITY_WORLD_RID,
0,
0, 0, 0, 0, 0, 0,
&pSIDEveryone))
{
printf("AllocateAndInitializeSid (Everyone) error %u\n",
GetLastError());
goto Cleanup;
}

if (!AllocateAndInitializeSid(&SIDAuthNT, 2,
0, 0, 0, 0, 0, 0,
&pSIDAdmin))
&pSIDAdmin))
{
printf("AllocateAndInitializeSid (Admin) error %u\n",
GetLastError());
goto Cleanup;
}
ZeroMemory(&ea, NUM_ACES * sizeof(EXPLICIT_ACCESS));
// Set read access for Everyone.

ea[0].grfAccessPermissions = GENERIC_READ;
ea[0].grfInheritance = NO_INHERITANCE;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR) pSIDEveryone;
// Set full control for Administrators.

ea[1].grfAccessPermissions = GENERIC_ALL;
ea[1].grfInheritance = NO_INHERITANCE;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR) pSIDAdmin;
if (ERROR_SUCCESS != SetEntriesInAcl(NUM_ACES,
ea,
NULL,
&pACL))
{
printf("Failed SetEntriesInAcl\n");
goto Cleanup;
}
// Try to modify the object's DACL.

dwRes = SetNamedSecurityInfo(
lpszOwnFile, // name of the object
SE_FILE_OBJECT, // type of object
DACL_SECURITY_INFORMATION, // change only the object's DACL
NULL, NULL, // do not change owner or group
pACL, // DACL specified
NULL); // do not change SACL
if (ERROR_SUCCESS == dwRes)
{
printf("Successfully changed DACL\n");
bRetval = TRUE;
// No more processing needed.
goto Cleanup;
}
if (dwRes != ERROR_ACCESS_DENIED)
{
printf("First SetNamedSecurityInfo call failed: %u\n",
dwRes);
goto Cleanup;
}
// If the preceding call failed because access was denied,

// enable the SE_TAKE_OWNERSHIP_NAME privilege, create a SID for
// the Administrators group, take ownership of the object, and
// disable the privilege. Then try again to set the object's DACL.
// Open a handle to the access token for the calling process.

if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken))
{
printf("OpenProcessToken failed: %u\n", GetLastError());
goto Cleanup;
}
// Enable the SE_TAKE_OWNERSHIP_NAME privilege.

if (!SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, TRUE))
{
printf("You must be logged on as Administrator.\n");
goto Cleanup;
}
// Set the owner in the object's security descriptor.

OWNER_SECURITY_INFORMATION, // change only the object's owner
pSIDAdmin, // SID of Administrator group
NULL,
NULL,
NULL);
if (dwRes != ERROR_SUCCESS)
{
printf("Could not set owner. Error: %u\n", dwRes);
goto Cleanup;
}
// Disable the SE_TAKE_OWNERSHIP_NAME privilege.

if (!SetPrivilege(hToken, SE_TAKE_OWNERSHIP_NAME, FALSE))
{
printf("Failed SetPrivilege call unexpectedly.\n");
goto Cleanup;
}
// Try again to modify the object's DACL,

// now that we are the owner.
DACL_SECURITY_INFORMATION, // change only the object's DACL
NULL, NULL, // do not change owner or group
pACL, // DACL specified
NULL); // do not change SACL
if (dwRes == ERROR_SUCCESS)
{
printf("Successfully changed DACL\n");
bRetval = TRUE;
}
else
{
printf("Second SetNamedSecurityInfo call failed: %u\n",
dwRes);
}
Cleanup:
if (pSIDAdmin)
FreeSid(pSIDAdmin);
if (pSIDEveryone)
FreeSid(pSIDEveryone);
if (pACL)
LocalFree(pACL);
if (hToken)
CloseHandle(hToken);
return bRetval;
}
You can use the Authorization Manager API to control access to application resources.
The examples in this section are written using Visual Basic Scripting Edition (VBScript) and Active Server Pages
(ASP).
For information about other authorization tasks, see Supporting Tasks in Script.
Defining Permissions in Script Define which users have access to which application
resources by creating an authorization policy store.
Verifying Client Access to a Requested Resource in Script Check whether the client has access to one or more
operations.
Delegating the Defining of Permissions in Script Delegate the administration of authorization policy stores
that are stored in Active Directory.
Defining Permissions in Script
In Authorization Manager, you define which users have access to which application resources by creating an
authorization policy store.
To define access permissions
1. Create the store where the authorization policy is defined:
2. Create a section in the authorization policy store for a specific application:
3. Define operations that the application implements to access and modify resources:
4. Group operations into high-level tasks that users want to perform:
5. Define roles that consist of groups of tasks:
A user that is assigned to a role has permission to perform any task assigned to that role. 6. Create scripts to qualify
access to tasks at run time:
This step is optional. 7. Define groups of users:
These groups can then be assigned to roles to determine which tasks they can perform. 8. Add users to user groups:
Verifying Client Access to Requested Resources in
Script
Call the AccessCheck method of an IAzClientContext object to check whether the client has access to one or
more operations. For information about creating an IAzClientContext object, see Establishing a Client Context
in Script.
A client might have membership in more than one role, and an operation might be assigned to more than one
task, so Authorization Manager checks for all roles and tasks. If any role to which the client belongs contains any
task that contains an operation, access to that operation is granted.
To check access for only a single role to which the client belongs, set the RoleForAccessCheck property of the
IAzClientContext object.
When initializing the authorization policy store for access check, you must pass zero as the value of the lFlags
parameter of the Initialize method of the AzAuthorizationStore object.
It is also possible to apply business logic at run time to qualify access. For information about qualifying access
with business logic, see Qualifying Access with Business Logic in Script.
The following example shows how to check a client's access to an operation. The example assumes that there is
an existing XML policy store named MyStore.xml in the root directory of drive C, and that this store contains an
application named Expense and an operation named UseFormControl.
<%@ Language=VBScript %>
<%
' Create the AzAuthorizationStore object.
Dim AzManStore
Set AzManStore = CreateObject("AzRoles.AzAuthorizationStore")
' Initialize the authorization store.

AzManStore.Initialize 0, "msxml://C:\MyStore.xml"
' Open the application object in the store.

Dim expenseApp
Set expenseApp = AzManStore.OpenApplication("Expense")
' Create a client context.

Dim clientName
clientName = Request.ServerVariables("LOGON_USER")
Dim clientContext
Set clientContext = _
expenseApp.InitializeClientContextFromName(clientName)
' Open the operation to check.

Dim formOperation
Set formOperation = expenseApp.OpenOperation("UseFormControl")
' Get the ID of the operation.

Dim operationID
operationID = formOperation.OperationID
' Check access.

Dim Operations(1)
Operations(0) = operationID
Dim Results
Results = _
clientContext.AccessCheck("UseFormControl", Empty, Operations)
%>
Delegating the Defining of Permissions in Script
You can delegate the administration of authorization policy stores that are stored in Active Directory.
Administration can be delegated to users and groups at the store, application, or scope level.
At each level, there is a list of administrators and readers. Administrators of a store, application, or scope can
read and modify the policy store at the delegated level. Readers can read the policy store at the delegated level
but cannot modify the store.
A user or group that is either an administrator or a reader of an application must also be added as a delegated
user of the policy store that contains that application. Similarly, a user or group that is an administrator or a
reader of a scope must be added as a delegated user of the application that contains that scope.
To delegate administration of a scope
1. Add the user or group to the list of delegated users of the store that contains the scope by calling the
AddDelegatedPolicyUser method of the AzAuthorizationStore object that contains the scope.
2. Add the user or group to the list of delegated users of the application that contains the scope by calling the
AddDelegatedPolicyUser method of the IAzApplication object that contains the scope.
3. Add the user or group to the list of administrators of the scope by calling the AddPolicyAdministrator
method of the IAzScope object.
NOTE
XML-based policy stores do not support delegation at any level.
If a scope within an authorization store that is stored in Active Directory contains task definitions that include
authorization rules or role definitions that include authorization rules, the scope cannot be delegated.
The following example shows how to delegate administration of an application. The example assumes that there
is an existing Active Directory authorization policy store at the specified location, that this policy store contains
an application named Expense, and that this application contains no tasks with business rule scripts.
Dim AzManStore

AzManStore.Initialize 2, _
"msldap://CN=MyStore,CN=Program Data,DC=authmanager,DC=com"
' Create an application object in the store.

Dim expenseApp
Set expenseApp= AzManStore.OpenApplication("Expense")
' Add a delegated policy user to the store.

AzManStore.AddDelegatedPolicyUserName("ExampleDomain\\UserName")
' Add the user as an administrator of the application.

expenseApp.AddPolicyAdministratorName("ExampleDomain\\UserName")
' Save changes to the store.

AzManStore.Submit
Supporting Tasks for Authorization in Script
The following tasks support the main tasks listed in Using Authorization in Script.
Creating an Authorization Policy Store in Script Create an authorization policy before or during the
installation of an application.
Establishing a Client Context in Script Create a client context with a handle to a token, a domain
and user name, or a string representation of the security
identifier (SID) of the client.
Qualifying Access with Business Logic in Script Provide run-time logic for checking access.
Create an authorization policy before or during the installation of an application.

When you use the Authorization Manager API to create an authorization policy, follow the instructions provided
in the following topics.
Creating an Authorization Policy Store Object in Script An authorization policy store contains information about the
security policy of an application or group of applications.
Creating an Application Object in Script For each application that uses an authorization policy store,
you must create an IAzApplication object and save it to a
policy store.
Defining Operations in Script An operation is a low-level function or method of an

application.
Grouping Operations into Tasks in Script A task is a high-level action that users of an application need
to complete. Tasks are made up of operations, which are
low-level functions and methods of the application.
Grouping Tasks into Roles in Script A role represents a category of users and the tasks those
users are authorized to perform.
Defining Groups of Users in Script An IAzApplicationGroup object represents a group of

users. Roles can then be assigned to this group of users
collectively. An IAzApplicationGroup object can also
include other IAzApplicationGroup objects as members.
Adding Users to an Application Group in Script An application group is a group of users and user groups.
An application group can contain other application groups,
so groups of users can be nested. An application group is
represented by an IAzApplicationGroup object.
Creating an Authorization Policy Store Object in
Script
An authorization policy store contains information about the security policy of an application or group of
applications. The information includes the applications, operations, tasks, users, and groups of users associated
with the store. When an application that uses Authorization Manager initializes, it loads this information from
the store. The authorization policy store must be located on a trusted system because administrators on that
system have a high degree of access to the store.
Authorization Manager supports storing authorization policy either in the Active Directory directory service or
in an XML file as shown in the following examples. In the Authorization Manager API, an authorization policy
store is represented by an AzAuthorizationStore object. The examples show how to create an
AzAuthorizationStore object for an Active Directory store and an XML store.

To use Active Directory to store the authorization policy, the domain must be in the Windows Ser ver 2003
domain functional level. The authorization policy store cannot be located in a Non-Domain Naming Context
(also called an application partition). It is recommended that the store be located in the Program Data
container under a new organizational unit created specifically for the authorization policy store. It is also
recommended that the store be located within the same local area network as application servers that run
applications that use the store.
policy store in Active Directory. The example assumes that there is an existing Active Directory organizational
unit named Program Data in a domain named authmanager.com.
' Create the store object.

Dim authStore
Set authStore = CreateObject("AzRoles.AzAuthorizationStore")
' Initialize the store object.

authStore.Initialize 1, _
"msldap://CN=MyStore, CN=Program Data,DC=authmanager,DC=com"
' Save the information to the store.

authStore.Submit

Authorization Manager supports creating a Microsoft SQL Server–based authorization policy store. To create a
SQL Server–based authorization store, use a URL that begins with the prefix MSSQL:// . The URL must contain a
valid SQL connection string, a database name, and the name of the authorization policy store:
**MSSQL://ConnectionString /DatabaseName /**PolicyStoreName.
If the instance of SQL Server does not contain the specified Authorization Manager database, Authorization
Manager creates a new database with that name.
NOTE
Connections to a SQL Server store are not encrypted unless you explicitly set up SQL encryption for the connection or set
up encryption of the network traffic that uses Internet Protocol Security (IPsec).
policy store in a SQL Server database.

Dim authStore

authStore.Initialize 1, _
"MSSQL://Driver={SQL Server};Server={AzServer};/AzDB/MyStore"
' Save information to the store.

authStore.Submit

Authorization Manager supports creating an authorization policy store in XML format. The XML store can be
located on the same computer where the application runs, or it can be stored remotely. Editing the XML file
directly is not supported. Use the Authorization Manager MMC snap-in or the Authorization Manager API to edit
the policy store.
Authorization Manager does not support delegating administration of an XML policy store. For information
about delegation, see Delegating the Defining of Permissions in Script.
policy store in an XML file.

Dim authStore

authStore.Initialize 1, "msxml://C:\MyStore.xml"

authStore.Submit
An authorization policy store contains authorization policy information for one or more applications. For each
application that uses an authorization policy store, you must create an IAzApplication object and save it to a
policy store.
The following example shows how to create an IAzApplication object that represents an application and how
to add the IAzApplication object to the authorization policy store the application uses. The example assumes
that there is an existing XML policy store named MyStore.xml in the root directory of drive C.

Dim AzManStore


Dim expenseApp
Set expenseApp= AzManStore.CreateApplication("Expense")
' Save changes to the store.

expenseApp.Submit
In Authorization Manager an operation is a low-level function or method of an application. These operations are
grouped together as tasks. Users of the application request permission to complete tasks. An operation is
represented by an IAzOperation object. For more information about operations, see Operations and Tasks.
The following example shows how to define operations in an authorization policy store. The example assumes
that there is an existing XML policy store named MyStore.xml in the root directory of drive C, and that this store
contains an application named Expense.

Dim AzManStore


Dim expenseApp
' Create operations.
' Create first operation.

Dim Op1
Set Op1 = expenseApp.CreateOperation("RetrieveForm")
' Set the OperationID property.

Op1.OperationID = 1
' Save the operation to the store.

Op1.Submit
' Create second operation.

Dim Op2
Set Op2 = expenseApp.CreateOperation("EnqueRequest")

Op2.OperationID = 2

Op2.Submit
' Create third operation.

Dim Op3
Set Op3 = expenseApp.CreateOperation("DequeRequest")

Op3.OperationID = 3

Op3.Submit
' Create fourth operation.

Dim Op4
Set Op4 = expenseApp.CreateOperation("UseFormControl")

Op4.OperationID = 4
Op4.Submit
' Create fifth operation.

Dim Op5
Set Op5 = expenseApp.CreateOperation("MarkFormApproved")

Op5.OperationID = 5

Op5.Submit
' Create sixth operation.

Dim Op6
Set Op6 = expenseApp.CreateOperation("SendApprovalNotify")

Op6.OperationID = 6

Op6.Submit
In Authorization Manager, a task is a high-level action that users of an application need to complete. Tasks are
made up of operations, which are low-level functions and methods of the application. A task is then assigned to
those roles that must perform that task. A task is represented by an IAzTask object. For more information about
operations and tasks, see Operations and Tasks.
The following example shows how to group operations to create a task. The example assumes that there is an
existing XML policy store named MyStore.xml in the root directory of drive C, that this store contains an
application named Expense, and that this application contains operations defined in the topic Defining
Operations in Script.

Dim AzManStore


Dim expenseApp
' Create a task object.

Dim Task1
Set Task1 = expenseApp.CreateTask("Submit Expense")
' Add operations to the task.

Task1.AddOperation CStr("RetrieveForm")
Task1.AddOperation CStr("EnqueRequest")
Task1.AddOperation Cstr("UseFormControl")
' Save the task to the store.

Task1.Submit
In Authorization Manager, a role represents a category of users and the tasks those users are authorized to
perform. Tasks are grouped together and assigned to a role definition, which is represented by an IAzTask
object with its IsRoleDefinition property set to True . The role definition can then be assigned to an IAzRole
object, and users or groups of users are then assigned to that object. For more information about tasks and
roles, see Roles.
The following example shows how to assign tasks to a role definition, create a role object, and assign the role
definition to the role object. The example assumes that there is an existing XML policy store named MyStore.xml
in the root directory of drive C, that this store contains an application named Expense, and that this application
contains tasks named Submit Expense and Approve Expense.

Dim AzManStore


Dim expenseApp
' Create a task object to act as a role definition.

Dim roleTask
Set roleTask = expenseApp.CreateTask("Expense Admin")
' Set the IsRoleDefinition property of roleTask to True.

roleTask.IsRoleDefinition = True
' Add two tasks to the role definition.

roleTask.AddTask CStr("Submit Expense")
roleTask.AddTask CStr("Approve Expense")
' Save the role definition to the store.

roleTask.Submit
' Create a role object.

Dim role1
Set role1 = expenseApp.CreateRole("Expense Administrator")
' Add the role definition to the role object.

role1.AddTask(roleTask.Name)
' Save the role object to the store.

role1.Submit
In Authorization Manager, an IAzApplicationGroup object represents a group of users. Roles can then be
assigned to this group of users collectively. An IAzApplicationGroup object can also include other
IAzApplicationGroup objects as members. For more information about application groups, see Users and
Groups.
A group can be defined either by explicit lists of members and nonmembers or by a Lightweight Directory
Access Protocol (LDAP) query. The following examples show how to create each type of application group:

A basic application group is defined by the members included in the Members and NonMembers properties
of the IAzApplicationGroup object that represents the group. Users and groups listed in the Members
property are included in the application group, and users and groups listed in the NonMembers property are
excluded from the application group. Being listed in the NonMembers property supersedes being listed in the
Members property.
The following example shows how to create a basic application group and add all local users as members of that
group. The example assumes that there is an existing XML policy store named MyStore.xml in the root directory
of drive C.

Dim AzManStore


Dim expenseApp
' Create an application group object.

Dim appGroup
Set appGroup = expenseApp.CreateApplicationGroup("Trusted Users")
' Add a well-known SID for all local users to the group.
appGroup.AddMember("S-1-1-0")
' Save the application group to the store.

appGroup.Submit

An LDAP query group has a membership defined by the query contained in the value of its LdapQuer y
property.
The following example shows how to create an LDAP query application group and add all users as members of
that group. The example assumes that there is an existing XML policy store named MyStore.xml in the root
directory of drive C.

Dim AzManStore


Dim expenseApp

Dim appGroup
Set appGroup = expenseApp.CreateApplicationGroup("LDAP Trusted Users")
' Set the Type property of the group to two

' (AZ_GROUPTYPE_LDAP_QUERY).
appGroup.Type = 2
' Add LDAP query for all users.

appGroup.LdapQuery = ("&(objectCategory=person)(objectClass=user)")
' Save the application group to the store.

appGroup.Submit
In Authorization Manager, an application group is a group of users and user groups. An application group can
contain other application groups, so groups of users can be nested. An application group is represented by an
IAzApplicationGroup object.
To allow members of an application group to perform a task or set of tasks
Assign that application group to a role that contains those tasks.
Roles are represented by IAzRole objects.
The following example shows how to create an application group, add a user as a member of the application
group, and assign the application group to an existing role. The example assumes that there is an existing XML
policy store named MyStore.xml in the root directory of drive C, that this store contains an application named
Expense, and that this application contains a role named Expense Administrator.

Dim AzManStore


Dim expenseApp

Dim appGroup
Set appGroup = expenseApp.CreateApplicationGroup("Approvers")
' Add a member to the group.

' Replace with valid domain and user name.
appGroup.AddMemberName("domain\\username")

appGroup.Submit
' Open a role object.

Dim adminRole
Set adminRole = expenseApp.OpenRole("Expense Administrator")
' Add the group to the role.

adminRole.AddAppMember("Approvers")
' Save the information to the store.

adminRole.Submit
Establishing a Client Context in Script
In Authorization Manager, an application determines whether a client is given access to an operation by calling
the AccessCheck method of an IAzClientContext object, which represents a client context.
An application can create a client context with a handle to a token, a domain and user name, or a string
representation of the security identifier (SID) of the client.
Use the InitializeClientContextFromToken , InitializeClientContextFromName , and
InitializeClientContextFromStringSid methods of an IAzApplication object to create a client context.
The following example shows how to create an IAzClientContext object from a client name. The example
assumes that there is an existing XML policy store named MyStore.xml in the root directory of drive C, and that
this store contains an application named Expense.

<%
Dim AzManStore


Dim expenseApp

Dim clientName
Dim clientContext
%>
Use business rule scripts to provide run-time logic for checking access. For more information about business
rules, see Business Rules.
To assign a business rule to a task, first set the BizRuleLanguage property of the IAzTask object that
represents the task. The script must be written using the Visual Basic Scripting Edition (VBScript) programming
language or JScript development software. After you specify the script language, set the BizRule property of the
IAzTask object with a string representation of the script.
When checking access for an operation contained by a task that has an associated business rule, the application
must create two arrays of the same size to be passed as the varParameterNames and varParameterValues
parameters of the AccessCheck method of an IAzClientContext object. For information about creating a
client context, see Establishing a Client Context in Script.
The AccessCheck method creates an AzBizRuleContext object that is passed to the business rule script. The
script then sets the BusinessRuleResult property of the AzBizRuleContext object. A value of True indicates
that access is granted, and a value of False indicates that access is denied.
A business rule script cannot be assigned to an IAzTask object contained by a delegated IAzScope object.
The following example shows how to use a business rule script to check a client's access to an operation. The
example assumes that there is an existing XML policy store named MyStore.xml in the root directory of drive C,
and that this store contains an application named Expense, a task named Submit Expense, and an operation
named UseFormControl.

<%
Dim AzManStore


Dim expenseApp

Dim clientName
Dim clientContext
' Create a business rule for the Submit Expense task.
' Open the Submit Expense task.

Dim submitTask
Set submitTask = expenseApp.OpenTask("Submit Expense")
' Set the business rule language to VBScript.

submitTask.BizRuleLanguage = "VBScript"
' Create a string with the business rule code.

Dim newline
newline = chr(13)
Dim bizRuleString
bizRuleString = "Dim Amount" + newline _
+"AzBizRuleContext.BusinessRuleResult = FALSE" + newline _
+"Amount = AzBizRuleContext.GetParameter(""ExpAmount"")" _
+newline _
+"if Amount < 500 then AzBizRuleContext.BusinessRuleResult = TRUE"
' Assign the business rule to the Submit Expense task.

submitTask.BizRule = bizRuleString
' Save the task information to the store.

submitTask.Submit
' Open the operation to check.

Dim formOperation
Set formOperation = expenseApp.OpenOperation("UseFormControl")
' Get the ID of the operation.

Dim operationID
operationID = formOperation.OperationID
' Set up arrays for operations and results.

Dim Operations(1)
Operations(0) = operationID
Dim Results
' Set up business rule parameters.

Dim bizNames(1)
Dim bizValues(1)
bizNames(0) = "ExpAmount"
bizValues(0) = 100
' Check access.

Results = clientContext.AccessCheck _
("UseFormControl", Empty, Operations, bizNames, bizValues)
%>
Using Authz API
Authz API allows applications to perform customizable access checks with better performance and more
simplified development than Low-level Access Control.
Authz API allows applications to cache access checks for improved performance, to query and modify client
contexts, and to define business rules that can be used to evaluate access permission dynamically.
In This Section
Initializing a Client Context An application must create a client context before it can use
Authz API to perform access checks or auditing.
Querying a Client Context Applications can call the

AuthzGetInformationFromContext function to query
information about an existing client context.
Adding SIDs to a Client Context An application can add security identifiers (SIDs) to an
existing client context by calling the
AuthzAddSidsToContext function.
Checking Access with Authz API Applications determine whether to grant access to securable
objects by calling the AuthzAccessCheck function.
Caching Access Checks When an application performs an access check by calling the
AuthzAccessCheck function, the results of that access
check can be cached.
An application must create a client context before it can use Authz API to perform access checks or auditing.
An application must call the AuthzInitializeResourceManager function to initialize the resource manager. The
application can then call one of several functions to create a client context. Additionally, if you are performing
access checks or auditing remotely, you must use the AuthzInitializeRemoteResourceManager function.
To create a client context based on an existing client context, call the
AuthzInitializeContextFromAuthzContext function.
The AuthzInitializeContextFromToken function creates a new client context by using information in a logon
token. The AuthzInitializeContextFromSid function creates a new client context by using the specified SID .
If possible, call the AuthzInitializeContextFromToken function instead of AuthzInitializeContextFromSid .
AuthzInitializeContextFromSid attempts to retrieve the information available in a logon token had the client
actually logged on. An actual logon token provides more information, such as logon type and logon properties,
and reflects the behavior of the authentication package used for the logon. The client context created by
AuthzInitializeContextFromToken uses a logon token, and the resulting client context is more complete and
accurate than a client context created by AuthzInitializeContextFromSid .
NOTE
Security attribute variables must be present in the client context if referred to in a conditional expression; otherwise, the
conditional expression term referencing them will be evaluated as unknown. For more information on conditional
expressions, see the Security Descriptor Definition Language for Conditional ACEs topic.
Example
The following example initializes the Authz resource manager and calls the
AuthzInitializeContextFromToken function to create a client context from the logon token associated with
the current process.
BOOL AuthzInitFromToken(AUTHZ_CLIENT_CONTEXT_HANDLE *phClientContext)
{
HANDLE hToken = NULL;

LUID Luid = {0, 0};
ULONG uFlags = 0;
//Initialize Resource Manager

if(!AuthzInitializeResourceManager(
AUTHZ_RM_FLAG_NO_AUDIT,
NULL,
NULL,
NULL,
L"My Resource Manager",
&g_hResourceManager
))
{
printf_s("AuthzInitializeResourceManager failed with %d\n", GetLastError);
return FALSE;
}
//Get the current token.
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))

{
printf_s("OpenProcessToken failed with %d\n", GetLastError);
return FALSE;
}
//Initialize the client context
if(!AuthzInitializeContextFromToken(
0,
hToken,
g_hResourceManager,
NULL,
Luid,
NULL,
phClientContext
))
{
printf_s("AuthzInitializeContextFromToken failed with %d\n", GetLastError);
return FALSE;
}
printf_s("Initialized client context. \n");

return TRUE;
Related topics
Applications can call the AuthzGetInformationFromContext function to query information about an existing
client context.
The InfoClass parameter of the AuthzGetInformationFromContext function takes a value from the
AUTHZ_CONTEXT_INFORMATION_CL ASS enumeration that specifies what type of information the function
queries.
Security attribute variables must be present in the client context if referred to in a conditional expression;
otherwise, the conditional expression term referencing them will be evaluated as unknown. For more
information on conditional expressions, see the Security Descriptor Definition Language for Conditional ACEs
topic.
Example
The following example queries the client context created in the example from Initializing a Client Context to
retrieve the list of SIDs of groups associated with that client context.
BOOL GetGroupsFromContext(AUTHZ_CLIENT_CONTEXT_HANDLE hClientContext)
{
DWORD cbSize = 0;
PTOKEN_GROUPS pTokenGroups=NULL;
LPTSTR StringSid = NULL;
BOOL bResult = FALSE;
int i = 0;
//Call the AuthzGetInformationFromContext function with a NULL output buffer to get the required buffer
size.
AuthzGetInformationFromContext(hClientContext, AuthzContextInfoGroupsSids, 0, &cbSize, NULL);
//Allocate the buffer for the TOKEN_GROUPS structure.

pTokenGroups = (PTOKEN_GROUPS)malloc(cbSize);
if (!pTokenGroups)
return FALSE;
//Get the SIDs of groups associated with the client context.

if(!AuthzGetInformationFromContext(hClientContext, AuthzContextInfoGroupsSids, cbSize, &cbSize,
pTokenGroups))
{
printf_s("AuthzGetInformationFromContext failed with %d\n", GetLastError);
free(pTokenGroups);
return FALSE;
}
//Enumerate and display the group SIDs.

for (i=pTokenGroups->GroupCount-1; i >= 0; --i)
{
//Convert a SID to a string.
if(!ConvertSidToStringSid(
pTokenGroups->Groups[i].Sid,
&StringSid
))
{
LocalFree(StringSid);
return FALSE;
}
wprintf_s(L"%s \n", StringSid);
free(pTokenGroups);
return TRUE;
}
Related topics
An application can add security identifiers (SIDs) to an existing client context by calling the
AuthzAddSidsToContext function. The AuthzAddSidsToContext function allows an application to specify
both a list of SIDs and a list of restricting SIDs to the specified client context.
The system uses the list of restricting SIDs when it checks the token's access to a securable object. When a
restricted process or thread tries to access a securable object, the system performs two access checks: one using
the token's enabled SIDs, and another using the list of restricting SIDs. Access is granted only if both access
checks allow the requested access rights.
Attribute variables must be in the form of an expression when used with logical operators; otherwise, they are
evaluated as unknown.
Example
The following example adds a SID and a restricting SID to the client context created by the example in Initializing
a Client Context.
BOOL AddSidsToContext(AUTHZ_CLIENT_CONTEXT_HANDLE *phClientContext)

{
AUTHZ_CLIENT_CONTEXT_HANDLE NewContext = NULL;
PSID pEveryoneSid = NULL;
PSID pLocalSid = NULL;
SID_AND_ATTRIBUTES Sids;
SID_AND_ATTRIBUTES RestrictedSids;
DWORD SidCount = 0;
DWORD RestrictedSidCount = 0;
//Create a PSID from the "Everyone" well-known SID.

if(!ConvertStringSidToSid(L"S-1-1-0", &pEveryoneSid))
{
printf_s("ConvertStringSidToSid failed with %d\n", GetLastError());
return FALSE;
}
//Create a PSID from the "Local" well-known SID.

if(!ConvertStringSidToSid(L"S-1-2-0", &pLocalSid))
{
printf_s("ConvertStringSidToSid failed with %d\n", GetLastError);
return FALSE;
}
//Set the members of the SID_AND_ATTRIBUTES structure to be added.

Sids.Sid = pEveryoneSid;
Sids.Attributes = SE_GROUP_ENABLED;
//Set the members of the SID_AND_ATTRIBUTES structure for the restricting SID.
RestrictedSids.Sid = pLocalSid;
RestrictedSids.Attributes = SE_GROUP_ENABLED;
//Create a new context with the new "Everyone" SID and "Local" restricting SID.
if(!AuthzAddSidsToContext(
*phClientContext,
&Sids,
1,
1,
&RestrictedSids,
1,
&NewContext))
{
printf_s("AuthzAddSidsToContext failed with %d\n", GetLastError());
if(pEveryoneSid)
{
FreeSid(pEveryoneSid);
}
if(pLocalSid)
{
FreeSid(pLocalSid);
}
return FALSE;
}
if(pEveryoneSid)
{
FreeSid(pEveryoneSid);
}
if(pLocalSid)
{
FreeSid(pLocalSid);
}
AuthzFreeContext(*phClientContext);
*phClientContext = NewContext;
return TRUE;
Related topics
Applications determine whether to grant access to securable objects by calling the AuthzAccessCheck
function.
The AuthzAccessCheck function takes both AUTHZ_ACCESS_REQUEST and SECURITY_DESCRIPTOR
structures as parameters. The AUTHZ_ACCESS_REQUEST structure specifies a level of access requested. The
AuthzAccessCheck function evaluates the requested access against the specified SECURITY_DESCRIPTOR
for a specified client context. For information about how a security descriptor controls access to an object, see
How DACLs Control Access to an Object.
Callback Function
If the discretionary access control list (DACL) of the SECURITY_DESCRIPTOR of the object to be checked
contains any callback access control entries (ACEs), AuthzAccessCheck calls the AuthzAccessCheckCallback
function for each callback ACE contained in the DACL. A callback ACE is any ACE structure whose ACE type
contains the word "callback." The AuthzAccessCheckCallback function is an application-defined function that
must be registered when the resource manager is initialized by calling the AuthzInitializeResourceManager
function.
A callback function allows an application to define business logic to be evaluated at runtime. When the
AuthzAccessCheckCallback function is called, the callback ACE that caused the call is passed to the callback
function for evaluation. If the application-defined logic evaluates as TRUE , then the callback ACE is included in
the access check. Otherwise, it is ignored.
Caching Access Results

The results of an access check can be cached and used in future calls to the AuthzCachedAccessCheck
function. For more information about caching access checks, including an example, see Caching Access Checks.
Example
The following example creates a SECURITY_DESCRIPTOR that allows READ_CONTROL access to built-in
administrators. It uses that security descriptor to check access for the client specified by the client context
created in the example in Initializing a Client Context.
BOOL CheckAccess(AUTHZ_CLIENT_CONTEXT_HANDLE hClientContext)

{
#define MY_MAX 4096
PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL;

ULONG cbSecurityDescriptorSize = 0;
AUTHZ_ACCESS_REQUEST Request;
CHAR ReplyBuffer[MY_MAX];
PAUTHZ_ACCESS_REPLY pReply = (PAUTHZ_ACCESS_REPLY)ReplyBuffer;
DWORD AuthzError =0;
//Allocate memory for the access request structure.

RtlZeroMemory(&Request, sizeof(AUTHZ_ACCESS_REQUEST));
//Set up the access request structure.

Request.DesiredAccess = READ_CONTROL;
//Allocate memory for the access reply structure.

RtlZeroMemory(ReplyBuffer, MY_MAX);
//Set up the access reply structure.

pReply->ResultListLength = 1;
pReply->Error = (PDWORD) ((PCHAR) pReply + sizeof(AUTHZ_ACCESS_REPLY));
pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
pReply->SaclEvaluationResults = NULL;
//Create security descriptor.

if(!ConvertStringSecurityDescriptorToSecurityDescriptor(
L"O:LAG:BAD:(A;;RC;;;BA)",
SDDL_REVISION_1,
&pSecurityDescriptor,
NULL))
{
printf_s("ConvertStringSecurityDescriptorToSecurityDescriptor failed with %d\n", GetLastError());
return FALSE;
}
//Call AuthzAccessCheck.
if(!AuthzAccessCheck(
0,
hClientContext,
&Request,
NULL,
pSecurityDescriptor,
NULL,
0,
pReply,
NULL))
{
printf_s("AuthzAccessCheck failed with %d\n", GetLastError());
LocalFree(pSecurityDescriptor);
return FALSE;
}
//Print results.
if(*pReply->GrantedAccessMask & READ_CONTROL)
{
printf_s("Access granted.\n");
}
else
{
printf_s("Access denied.\n");
}
return TRUE;
Related topics
When an application performs an access check by calling the AuthzAccessCheck function, the results of that
access check can be cached. When the pAuthzHandle parameter of the AuthzAccessCheck function is not
NULL , the function performs a separate access check, with a requested ACCESS_MASK of
MAXIMUM_ALLOWED , and caches the results of that check. A handle to the results of that check can then be
passed as the AuthzHandle parameter to the AuthzCachedAccessCheck function. This allows faster access
checking for a given client and security descriptors.
Only the static portion of an access check can be cached. Any callback access control entries (ACEs) or ACEs that
contain the PRINCIPAL_SELF SID must be evaluated for each access check.
Example
The following example checks access against a cached result from a previous access check. The previous access
check was performed in the example in Checking Access with Authz API.
BOOL CheckCachedAccess(AUTHZ_CLIENT_CONTEXT_HANDLE hClientContext)

{
#define MY_MAX 4096
PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL;

ULONG cbSecurityDescriptorSize = 0;
AUTHZ_ACCESS_REQUEST Request;
CHAR ReplyBuffer[MY_MAX];
CHAR CachedReplyBuffer[MY_MAX];
PAUTHZ_ACCESS_REPLY pReply = (PAUTHZ_ACCESS_REPLY)ReplyBuffer;
PAUTHZ_ACCESS_REPLY pCachedReply = (PAUTHZ_ACCESS_REPLY)CachedReplyBuffer;
DWORD AuthzError =0;
AUTHZ_ACCESS_CHECK_RESULTS_HANDLE hCached;
//Allocate memory for the access request structure.

//Set up the access request structure.

Request.DesiredAccess = READ_CONTROL;
//Allocate memory for the initial access reply structure.

//Set up the access reply structure.

pReply->ResultListLength = 1;
pReply->Error = (PDWORD) ((PCHAR) pReply + sizeof(AUTHZ_ACCESS_REPLY));
pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
pReply->SaclEvaluationResults = NULL;
//Allocate memory for the cached access reply structure.

//Set up the cached access reply structure.

pCachedReply->ResultListLength = 1;
pCachedReply->Error = (PDWORD) ((PCHAR) pCachedReply + sizeof(AUTHZ_ACCESS_REPLY));
pCachedReply->GrantedAccessMask = (PACCESS_MASK) (pCachedReply->Error + pCachedReply->ResultListLength);
pCachedReply->SaclEvaluationResults = NULL;
pCachedReply->SaclEvaluationResults = NULL;
//Create security descriptor.

if(!ConvertStringSecurityDescriptorToSecurityDescriptor(
L"O:LAG:BAD:(A;;RC;;;BA)",
SDDL_REVISION_1,
&pSecurityDescriptor,
NULL))
{
printf_s("ConvertStringSecurityDescriptorToSecurityDescriptor failed with %d\n", GetLastError());
return FALSE;
}
//Call AuthzAccessCheck and cache results.

if(!AuthzAccessCheck(
0,
hClientContext,
&Request,
NULL,
pSecurityDescriptor,
NULL,
0,
pReply,
&hCached))
{
printf_s("AuthzAccessCheck failed with %d\n", GetLastError());
return FALSE;
}
//Call AuthzCachedAccessCheck with the cached result from the previous call.
if(!AuthzCachedAccessCheck(
0,
hCached,
&Request,
NULL,
pCachedReply))
{
printf_s("AuthzCachedAccessCheck failed with %d\n", GetLastError());
AuthzFreeHandle(hCached);
return FALSE;
}
//Print results.
if(*pCachedReply->GrantedAccessMask & READ_CONTROL)
{
printf_s("Access granted.\n");
}
else
{
printf_s("Access denied.\n");
}
AuthzFreeHandle(hCached);
return TRUE;
Related topics
Authorization Reference
Authorization reference pages contain detailed descriptions of the Microsoft authorization functions, interfaces,
objects, structures, and other programming elements. These pages include reference descriptions of the API for
working with access controls including the access control editors.
Reference pages are divided into the following groups.
SEC T IO N DESC RIP T IO N
Microsoft.Interop.Security.AzRoles Assembly Links to documentation for the AzRoles assembly interfaces.
Authorization Constants Constants used by authorization programming elements.
Authorization Data Types Data types used by authorization programming elements.
Authorization Enumerations Enumerations used by authorization programming elements.
Authorization Functions Functions used with authorization.
Authorization Interfaces Interfaces used with authorization.
Authorization Objects Objects used with authorization.
Authorization Structures Structures used with authorization functions, interfaces, and

objects.
Authorization Constants (Authorization)
Authorization constants are categorized according to usage as follows.
In this section
Account Rights Constants Account rights determine the type of logon that a user
account can perform. An administrator assigns account
rights to user and group accounts. Each user's account rights
include those granted to the user and to the groups to
which the user belongs.
App Container SID Constants Dictate the application package authority.
Auditing Constants Represent categories and subcategories of audit-policy

events.
Capability SID Constants Define for applications well-known capabilities by using the
Privilege Constants Privileges determine the type of system operations that a

user account can perform. An administrator assigns
privileges to user and group accounts. Each user's privileges
include those granted to the user and to the groups to
which the user belongs.
Account Rights Constants
Account rights determine the type of logon that a user account can perform. An administrator assigns account
rights to user and group accounts. Each user's account rights include those granted to the user and to the
groups to which the user belongs.
A system administrator can use the Local Security Authority (LSA) functions to work with account rights. The
LsaAddAccountRights and LsaRemoveAccountRights functions add or remove account rights from an
account. The LsaEnumerateAccountRights function enumerates the account rights held by a specified
account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a specified
account right.
The following account right constants are used to control the logon ability of an account. The LogonUser or
LsaLogonUser functions fail if the account being logged on does not have the account rights required for the
type of logon being performed.
C O N STA N T / VA L UE DESC RIP T IO N
Required for an account to log on using the batch logon

SE_BATCH_LOGON_NAME type.
TEXT("SeBatchLogonRight")
Explicitly denies an account the right to log on using the

SE_DENY_BATCH_LOGON_NAME batch logon type.
TEXT("SeDenyBatchLogonRight")

SE_DENY_INTERACTIVE_LOGON_NAME interactive logon type.
TEXT("SeDenyInteractiveLogonRight")

SE_DENY_NETWORK_LOGON_NAME network logon type.
TEXT("SeDenyNetworkLogonRight")
Explicitly denies an account the right to log on remotely

SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME using the interactive logon type.
TEXT("SeDenyRemoteInteractiveLogonRight")

SE_DENY_SERVICE_LOGON_NAME service logon type.
TEXT("SeDenyServiceLogonRight")
Required for an account to log on using the interactive logon

SE_INTERACTIVE_LOGON_NAME type.
TEXT("SeInteractiveLogonRight")
Required for an account to log on using the network logon

SE_NETWORK_LOGON_NAME type.
TEXT("SeNetworkLogonRight")
Required for an account to log on remotely using the

SE_REMOTE_INTERACTIVE_LOGON_NAME interactive logon type.
TEXT("SeRemoteInteractiveLogonRight")
Required for an account to log on using the service logon

SE_SERVICE_LOGON_NAME type.
TEXT("SeServiceLogonRight")
Remarks
The SE_DENY rights override the corresponding account rights. An administrator can assign an SE_DENY right
to an account to override any logon rights that an account might have as a result of a group membership. For
example, you could assign the SE_NETWORK_LOGON_NAME right to Everyone but assign the
SE_DENY_NETWORK_LOGON_NAME right to Administrators to prevent remote administration of computers.
All of the LSA functions mentioned in the introduction above support both account rights and privileges. Unlike
privileges, however, account rights are not supported by the LookupPrivilegeValue and
LookupPrivilegeName functions. The GetTokenInformation function will obtain information on account
rights if TokenGroups, and not TokenPrivileges, is specified as the value of the TokenInformationClass parameter.
The preceding account right constants are defined as strings in Ntsecapi.h. For example, the
SE_INTERACTIVE_LOGON_NAME constant is defined as "SeInteractiveLogonRight".
Requirements
REQ UIREM EN T VA L UE
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Header
Ntsecapi.h
App Container SID Constants
The app container specific SID constants dictate the application package authority. While a developer can use
these constants directly, most developers do not need to define these app container SIDs.
**SECURITY\_APP\_PACKAGE\_AUTHORITY** ({0,0,0,0,0,15})
**SECURITY\_APP\_PACKAGE\_BASE\_RID** (0x00000002L)
**SECURITY\_BUILTIN\_APP\_PACKAGE\_RID\_COUNT** (2L)
**SECURITY\_APP\_PACKAGE\_RID\_COUNT** (8L)
**SECURITY\_CAPABILITY\_BASE\_RID** (0x00000003L)
**SECURITY\_BUILTIN\_CAPABILITY\_RID\_COUNT** (2L)
**SECURITY\_CAPABILITY\_RID\_COUNT** (5L)
**SECURITY\_BUILTIN\_PACKAGE\_ANY\_PACKAGE** (0x00000001L)
Requirements
Minimum supported client Windows 8 [desktop apps only]
Header
Winnt.h
Auditing Constants
The following constants represent categories and subcategories of audit-policy events.

The following constants represent categories of audit-policy events. These constants are defined as GUID
structures in Ntsecapi.h.
Audit_System
69979848-797a-11d9-bed3-505054503030
Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the
security log.
Audit_Logon
69979849-797a-11d9-bed3-505054503030
Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
Audit_ObjectAccess
6997984a-797a-11d9-bed3-505054503030
Audit attempts to access securable objects.
Audit_PrivilegeUse
6997984b-797a-11d9-bed3-505054503030
Audit attempts to use privileges.
Audit_DetailedTracking
6997984c-797a-11d9-bed3-505054503030
Audit-specific events, such as program activation, some forms of handle duplication, indirect access to an object,
and process exit.
Audit_PolicyChange
6997984d-797a-11d9-bed3-505054503030
Audit attempts to change Policy object rules.
Audit_AccountManagement
6997984e-797a-11d9-bed3-505054503030
Audit attempts to create, delete, or change user or group accounts. Also, audit password changes.
Audit_Director ySer viceAccess
6997984f-797a-11d9-bed3-505054503030
Audit attempts to access the directory service.
Audit_AccountLogon
69979850-797a-11d9-bed3-505054503030
Audit logon attempts by privileged accounts that log on to the domain controller. These audit events are
generated when the Kerberos Key Distribution Center (KDC) logs on to the domain controller.
The following constants represent subcategories of audit-policy events. These constants are defined as GUID
structures in Ntsecapi.h.
**Audit\_System\_SecurityStateChange** (0cce9210-69ae-11d9-bed3-505054503030)
**Audit\_System\_SecuritySubsystemExtension** (0cce9211-69ae-11d9-bed3-505054503030)
**Audit\_System\_Integrity** (0cce9212-69ae-11d9-bed3-505054503030)
**Audit\_System\_IPSecDriverEvents** (0cce9213-69ae-11d9-bed3-505054503030)
**Audit\_System\_Others** (0cce9214-69ae-11d9-bed3-505054503030)
**Audit\_Logon\_Logon** (0cce9215-69ae-11d9-bed3-505054503030)
**Audit\_Logon\_Logoff** (0cce9216-69ae-11d9-bed3-505054503030)
**Audit\_Logon\_AccountLockout** (0cce9217-69ae-11d9-bed3-505054503030)
**Audit\_Logon\_IPSecMainMode** (0cce9218-69ae-11d9-bed3-505054503030)
**Audit\_Logon\_IPSecQuickMode** (0cce9219-69ae-11d9-bed3-505054503030)
**Audit\_Logon\_IPSecUserMode** (0cce921a-69ae-11d9-bed3-505054503030)
**Audit\_Logon\_SpecialLogon** (0cce921b-69ae-11d9-bed3-505054503030)
**Audit\_Logon\_Others** (0cce921c-69ae-11d9-bed3-505054503030)
**Audit\_ObjectAccess\_FileSystem** (0cce921d-69ae-11d9-bed3-505054503030)
**Audit\_ObjectAccess\_Registry** (0cce921e-69ae-11d9-bed3-505054503030)
**Audit\_ObjectAccess\_Kernel** (0cce921f-69ae-11d9-bed3-505054503030)
**Audit\_ObjectAccess\_Sam** (0cce9220-69ae-11d9-bed3-505054503030)
**Audit\_ObjectAccess\_CertificationServices** (0cce9221-69ae-11d9-bed3-505054503030)
**Audit\_ObjectAccess\_ApplicationGenerated** (0cce9222-69ae-11d9-bed3-505054503030)
**Audit\_ObjectAccess\_Handle** (0cce9223-69ae-11d9-bed3-505054503030)
**Audit\_ObjectAccess\_Share** (0cce9224-69ae-11d9-bed3-505054503030)
**Audit\_ObjectAccess\_FirewallPacketDrops** (0cce9225-69ae-11d9-bed3-505054503030)
**Audit\_ObjectAccess\_FirewallConnection** (0cce9226-69ae-11d9-bed3-505054503030)
**Audit\_ObjectAccess\_Other** (0cce9227-69ae-11d9-bed3-505054503030)
**Audit\_PrivilegeUse\_Sensitive** (0cce9228-69ae-11d9-bed3-505054503030)
**Audit\_PrivilegeUse\_NonSensitive** (0cce9229-69ae-11d9-bed3-505054503030)
**Audit\_PrivilegeUse\_Others** (0cce922a-69ae-11d9-bed3-505054503030)
**Audit\_DetailedTracking\_ProcessCreation** (0cce922b-69ae-11d9-bed3-505054503030)
**Audit\_DetailedTracking\_ProcessTermination** (0cce922c-69ae-11d9-bed3-505054503030)
**Audit\_DetailedTracking\_DpapiActivity** (0cce922d-69ae-11d9-bed3-505054503030)
**Audit\_DetailedTracking\_RpcCall** (0cce922e-69ae-11d9-bed3-505054503030)
**Audit\_PolicyChange\_AuditPolicy** (0cce922f-69ae-11d9-bed3-505054503030)
**Audit\_PolicyChange\_AuthenticationPolicy** (0cce9230-69ae-11d9-bed3-505054503030)
**Audit\_PolicyChange\_AuthorizationPolicy** (0cce9231-69ae-11d9-bed3-505054503030)
**Audit\_PolicyChange\_MpsscvRulePolicy** (0cce9232-69ae-11d9-bed3-505054503030)
**Audit\_PolicyChange\_WfpIPSecPolicy** (0cce9233-69ae-11d9-bed3-505054503030)
**Audit\_PolicyChange\_Others** (0cce9234-69ae-11d9-bed3-505054503030)
**Audit\_AccountManagement\_UserAccount** (0cce9235-69ae-11d9-bed3-505054503030)
**Audit\_AccountManagement\_ComputerAccount** (0cce9236-69ae-11d9-bed3-505054503030)
**Audit\_AccountManagement\_SecurityGroup** (0cce9237-69ae-11d9-bed3-505054503030)
**Audit\_AccountManagement\_DistributionGroup** (0cce9238-69ae-11d9-bed3-505054503030)
**Audit\_AccountManagement\_ApplicationGroup** (0cce9239-69ae-11d9-bed3-505054503030)
**Audit\_AccountManagement\_Others** (0cce923a-69ae-11d9-bed3-505054503030)
**Audit\_DSAccess\_DSAccess** (0cce923b-69ae-11d9-bed3-505054503030)
**Audit\_DsAccess\_AdAuditChanges** (0cce923c-69ae-11d9-bed3-505054503030)
**Audit\_Ds\_Replication** (0cce923d-69ae-11d9-bed3-505054503030)
**Audit\_Ds\_DetailedReplication** (0cce923e-69ae-11d9-bed3-505054503030)
**Audit\_AccountLogon\_CredentialValidation** (0cce923f-69ae-11d9-bed3-505054503030)
**Audit\_AccountLogon\_Kerberos** (0cce9240-69ae-11d9-bed3-505054503030)
**Audit\_AccountLogon\_Others** (0cce9241-69ae-11d9-bed3-505054503030)
**Audit\_AccountLogon\_KerbCredentialValidation** (0cce9242-69ae-11d9-bed3-505054503030)
**Audit\_Logon\_NPS** (0cce9243-69ae-11d9-bed3-505054503030)
Requirements
Minimum supported client Windows Vista [desktop apps only]
Header
Ntsecapi.h
Capability SID Constants
The capability SID constants define for applications well-known capabilities by using the
SECURITY_CAPABILITY_INTERNET_CLIENT
(0x00000001L)
An account has access to the Internet from a client computer.
SECURITY_CAPABILITY_INTERNET_CLIENT_SERVER
(0x00000002L)
An account has access to the Internet from the client and server computers.
SECURITY_CAPABILITY_PRIVATE_NETWORK_CLIENT_SERVER
(0x00000003L)
An account has access to the Internet from a private network.
SECURITY_CAPABILITY_PICTURES_LIBRARY
(0x00000004L)
An account has access to the pictures library.
SECURITY_CAPABILITY_VIDEOS_LIBRARY
(0x00000005L)
An account has access to the videos library.
SECURITY_CAPABILITY_MUSIC_LIBRARY
(0x00000006L)
An account has access to the music library.
SECURITY_CAPABILITY_DOCUMENTS_LIBRARY
(0x00000007L)
An account has access to the documentation library.
SECURITY_CAPABILITY_ENTERPRISE_AUTHENTICATION
(0x00000008L)
An account has access to the default Windows credentials.
SECURITY_CAPABILITY_SHARED_USER_CERTIFICATES
(0x00000009L)
An account has access to the shared user certificates.
SECURITY_CAPABILITY_REMOVABLE_STORAGE
(0x0000000AL)
An account has access to removable storage.
Remarks
When constructing a capability SID, you need to include the package authority,
SECURITY_APP_PACKAGE_AUTHORITY {0,0,0,0,0,15}, in the call to the AllocateAndInitializeSid function.
Additionally, you need the base RID and RID count for the built-in capabilities, SECURITY_CAPABILITY_BASE_RID
(0x00000003L) and SECURITY_BUILTIN_CAPABILITY_RID_COUNT (2L).
Requirements
Header
Winnt.h
Privilege Constants (Authorization)
Privileges determine the type of system operations that a user account can perform. An administrator assigns
privileges to user and group accounts. Each user's privileges include those granted to the user and to the groups
to which the user belongs.
The functions that get and adjust the privileges in an access token use the locally unique identifier (LUID) type to
identify privileges. Use the LookupPrivilegeValue function to determine the LUID on the local system that
corresponds to a privilege constant. Use the LookupPrivilegeName function to convert a LUID to its
corresponding string constant.
The operating system represents a privilege by using the string that follows "User Right" in the Description
column of the following table. The operating system displays the user right strings in the Policy column of the
User Rights Assignment node of the Local Security Settings Microsoft Management Console (MMC) snap-in.
Example
BOOL EnablePrivilege()
{
LUID PrivilegeRequired ;
BOOL bRes = FALSE;
bRes = LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &PrivilegeRequired);
// ...
return bRes;
}
Example from Windows Classic Samples on GitHub.
Constants
Required to assign the primary token of a process.

SE_ASSIGNPRIMARYTOKEN_NAME User Right: Replace a process-level token.
TEXT("SeAssignPrimaryTokenPrivilege")
Required to generate audit-log entries. Give this privilege to

SE_AUDIT_NAME secure servers.
TEXT("SeAuditPrivilege") User Right: Generate security audits.
Required to perform backup operations. This privilege causes

SE_BACKUP_NAME the system to grant all read access control to any file,
TEXT("SeBackupPrivilege") regardless of the access control list (ACL) specified for the
file. Any access request other than read is still evaluated with
the ACL. This privilege is required by the RegSaveKey and
RegSaveKeyExfunctions. The following access rights are
granted if this privilege is held:
READ_CONTROL
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_READ
FILE_TRAVERSE
User Right: Back up files and directories.
If the file is located on a removable drive and the "Audit
Removable Storage" is enabled, the SE_SECURITY_NAME is
required to have ACCESS_SYSTEM_SECURITY.
Required to receive notifications of changes to files or

SE_CHANGE_NOTIFY_NAME directories. This privilege also causes the system to skip all
TEXT("SeChangeNotifyPrivilege") traversal access checks. It is enabled by default for all users.
User Right: Bypass traverse checking.
Required to create named file mapping objects in the global

SE_CREATE_GLOBAL_NAME namespace during Terminal Services sessions. This privilege is
TEXT("SeCreateGlobalPrivilege") enabled by default for administrators, services, and the local
system account.
User Right: Create global objects.
Required to create a paging file.

SE_CREATE_PAGEFILE_NAME User Right: Create a pagefile.
TEXT("SeCreatePagefilePrivilege")
Required to create a permanent object.

SE_CREATE_PERMANENT_NAME User Right: Create permanent shared objects.
TEXT("SeCreatePermanentPrivilege")
Required to create a symbolic link.

SE_CREATE_SYMBOLIC_LINK_NAME User Right: Create symbolic links.
TEXT("SeCreateSymbolicLinkPrivilege")
Required to create a primary token.

SE_CREATE_TOKEN_NAME User Right: Create a token object.
TEXT("SeCreateTokenPrivilege") You cannot add this privilege to a user account with the
"Create a token object" policy. Additionally, you cannot add
this privilege to an owned process using Windows
APIs.Windows Ser ver 2003 and Windows XP with SP1
and earlier : Windows APIs can add this privilege to an
owned process.
Required to debug and adjust the memory of a process

SE_DEBUG_NAME owned by another account.
TEXT("SeDebugPrivilege") User Right: Debug programs.
Required to obtain an impersonation token for another user

SE_DELEGATE_SESSION_USER_IMPERSONATE_NAME in the same session.
TEXT("SeDelegateSessionUserImpersonatePrivilege") User Right: Impersonate other users.
Required to mark user and computer accounts as trusted for

SE_ENABLE_DELEGATION_NAME delegation.
TEXT("SeEnableDelegationPrivilege") User Right: Enable computer and user accounts to be
trusted for delegation.
Required to impersonate.
SE_IMPERSONATE_NAME User Right: Impersonate a client after authentication.
TEXT("SeImpersonatePrivilege")
Required to increase the base priority of a process.

SE_INC_BASE_PRIORITY_NAME User Right: Increase scheduling priority.
TEXT("SeIncreaseBasePriorityPrivilege")
Required to increase the quota assigned to a process.

SE_INCREASE_QUOTA_NAME User Right: Adjust memory quotas for a process.
TEXT("SeIncreaseQuotaPrivilege")
Required to allocate more memory for applications that run

SE_INC_WORKING_SET_NAME in the context of users.
TEXT("SeIncreaseWorkingSetPrivilege") User Right: Increase a process working set.
Required to load or unload a device driver.

SE_LOAD_DRIVER_NAME User Right: Load and unload device drivers.
TEXT("SeLoadDriverPrivilege")
Required to lock physical pages in memory.

SE_LOCK_MEMORY_NAME User Right: Lock pages in memory.
TEXT("SeLockMemoryPrivilege")
Required to create a computer account.

SE_MACHINE_ACCOUNT_NAME User Right: Add workstations to domain.
TEXT("SeMachineAccountPrivilege")
Required to enable volume management privileges.

SE_MANAGE_VOLUME_NAME User Right: Manage the files on a volume.
TEXT("SeManageVolumePrivilege")
Required to gather profiling information for a single process.

SE_PROF_SINGLE_PROCESS_NAME User Right: Profile single process.
TEXT("SeProfileSingleProcessPrivilege")
Required to modify the mandatory integrity level of an

SE_REL ABEL_NAME object.
TEXT("SeRelabelPrivilege") User Right: Modify an object label.
Required to shut down a system using a network request.

SE_REMOTE_SHUTDOWN_NAME User Right: Force shutdown from a remote system.
TEXT("SeRemoteShutdownPrivilege")
Required to perform restore operations. This privilege causes

SE_RESTORE_NAME the system to grant all write access control to any file,
TEXT("SeRestorePrivilege") regardless of the ACL specified for the file. Any access
request other than write is still evaluated with the ACL.
Additionally, this privilege enables you to set any valid user
or group SID as the owner of a file. This privilege is required
by the RegLoadKey function. The following access rights
are granted if this privilege is held:
WRITE_DAC
WRITE_OWNER
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
User Right: Restore files and directories.
If the file is located on a removable drive and the "Audit
Removable Storage" is enabled, the SE_SECURITY_NAME is
required to have ACCESS_SYSTEM_SECURITY.
Required to perform a number of security-related functions,

SE_SECURITY_NAME such as controlling and viewing audit messages. This
TEXT("SeSecurityPrivilege") privilege identifies its holder as a security operator.
User Right: Manage auditing and security log.
Required to shut down a local system.

SE_SHUTDOWN_NAME User Right: Shut down the system.
TEXT("SeShutdownPrivilege")
Required for a domain controller to use the Lightweight

SE_SYNC_AGENT_NAME Directory Access Protocol directory synchronization services.
TEXT("SeSyncAgentPrivilege") This privilege enables the holder to read all objects and
properties in the directory, regardless of the protection on
the objects and properties. By default, it is assigned to the
Administrator and LocalSystem accounts on domain
controllers.
User Right: Synchronize directory service data.
Required to modify the nonvolatile RAM of systems that use

SE_SYSTEM_ENVIRONMENT_NAME this type of memory to store configuration information.
TEXT("SeSystemEnvironmentPrivilege") User Right: Modify firmware environment values.
Required to gather profiling information for the entire

SE_SYSTEM_PROFILE_NAME system.
TEXT("SeSystemProfilePrivilege") User Right: Profile system performance.
Required to modify the system time.

SE_SYSTEMTIME_NAME User Right: Change the system time.
TEXT("SeSystemtimePrivilege")
Required to take ownership of an object without being

SE_TAKE_OWNERSHIP_NAME granted discretionary access. This privilege allows the owner
TEXT("SeTakeOwnershipPrivilege") value to be set only to those values that the holder may
legitimately assign as the owner of an object.
User Right: Take ownership of files or other objects.
This privilege identifies its holder as part of the trusted

SE_TCB_NAME computer base. Some trusted protected subsystems are
TEXT("SeTcbPrivilege") granted this privilege.
User Right: Act as part of the operating system.
Required to adjust the time zone associated with the

SE_TIME_ZONE_NAME computer's internal clock.
TEXT("SeTimeZonePrivilege") User Right: Change the time zone.
Required to access Credential Manager as a trusted caller.

SE_TRUSTED_CREDMAN_ACCESS_NAME User Right: Access Credential Manager as a trusted caller.
TEXT("SeTrustedCredManAccessPrivilege")
Required to undock a laptop.

SE_UNDOCK_NAME User Right: Remove computer from docking station.
TEXT("SeUndockPrivilege")
Required to read unsolicited input from a terminal device.

SE_UNSOLICITED_INPUT_NAME User Right: Not applicable.
TEXT("SeUnsolicitedInputPrivilege")
Remarks
Privilege constants are defined as strings in Winnt.h. For example, the SE_AUDIT_NAME constant is defined as
"SeAuditPrivilege".
Requirements
Header
Winnt.h
See also
Privileges
Authorization Data Types
The following data types are used with authorization applications.
In this section
ACCESS_MASK Defines standard, specific, and generic rights. These rights

are used in access control entries (ACEs) and are the primary
means of specifying the requested or granted access to an
object.
SECURITY_DESCRIPTOR_CONTROL Set of bit flags that qualify the meaning of a security

descriptor or its components.
SECURITY_INFORMATION Identifies the object-related security information being set or

queried.
ACCESS_MASK
The ACCESS_MASK data type is a DWORD value that defines standard, specific, and generic rights. These
rights are used in access control entries (ACEs) and are the primary means of specifying the requested or
granted access to an object.
typedef DWORD ACCESS_MASK;

typedef ACCESS_MASK* PACCESS_MASK;
Remarks
The bits in this value are allocated as follows.
B IT S M EA N IN G
0 15 Specific rights. Contains the access mask specific to the

object type associated with the mask.
16 23 Standard rights. Contains the object's standard access rights.
24 Access system security (ACCESS_SYSTEM_SECURITY ). It is

used to indicate access to a system access control list (SACL).
This type of access requires the calling process to have the
SE_SECURITY_NAME (Manage auditing and security log)
privilege. If this flag is set in the access mask of an audit
access ACE (successful or unsuccessful access), the SACL
access will be audited.
25 Maximum allowed (MAXIMUM_ALLOWED ).
26 27 Reserved.
28 Generic all (GENERIC_ALL ).
29 Generic execute (GENERIC_EXECUTE ).
30 Generic write (GENERIC_WRITE ).
31 Generic read (GENERIC_READ ).
Standard rights bits, 16 to 23, contain the object's standard access rights and can be a combination of the
following predefined flags.
B IT FLAG M EA N IN G
16 DELETE Delete access.

B IT FLAG M EA N IN G
17 READ_CONTROL Read access to the owner, group, and

discretionary access control list (DACL)
of the security descriptor.
18 WRITE_DAC Write access to the DACL.
19 WRITE_OWNER Write access to owner.
20 SYNCHRONIZE Synchronize access.
The following constants defined in Winnt.h represent the specific and standard access rights.
#define DELETE (0x00010000L)

#define READ_CONTROL (0x00020000L)
#define WRITE_DAC (0x00040000L)
#define WRITE_OWNER (0x00080000L)
#define SYNCHRONIZE (0x00100000L)
#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)
#define STANDARD_RIGHTS_READ (READ_CONTROL)

#define STANDARD_RIGHTS_WRITE (READ_CONTROL)
#define STANDARD_RIGHTS_EXECUTE (READ_CONTROL)
#define STANDARD_RIGHTS_ALL (0x001F0000L)
#define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)
Requirements
Header
Winnt.h (include Windows.h)
See also
Access Control
Basic Access Control Structures
GENERIC_MAPPING
SECURITY_DESCRIPTOR_CONTROL
The SECURITY_DESCRIPTOR_CONTROL data type is a set of bit flags that qualify the meaning of a security
descriptor or its components. Each security descriptor has a Control member that stores the
SECURITY_DESCRIPTOR_CONTROL bits.
typedef WORD SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL;
Remarks
To get the control bits of a security descriptor, call the GetSecurityDescriptorControl function. To set the
control bits of a security descriptor, use the functions for modifying security descriptors. For a list of these
functions, see the See Also section.
Applications can use the SetSecurityDescriptorControl function to set the control bits that relate to
automatic inheritance of ACEs.
The control value retrieved by the GetSecurityDescriptorControl function can include a combination of the
following SECURITY_DESCRIPTOR_CONTROL bit flags.
VA L UE M EA N IN G
SE_DACL_AUTO_INHERIT_REQ Indicates a required security descriptor in which the

0x0100 discretionary access control list (DACL) is set up to support
automatic propagation of inheritable access control entries
(ACEs) to existing child objects.
For access control lists (ACLs) that support auto inheritance,
this bit is always set. Protected servers can call the
Conver tToAutoInheritPrivateObjectSecurity function
to convert a security descriptor and set this flag.
SE_DACL_AUTO_INHERITED Indicates a security descriptor in which the discretionary

0x0400 access control list (DACL) is set up to support automatic
propagation of inheritable access control entries (ACEs) to
existing child objects.
For access control lists (ACLs) that support auto inheritance,
this bit is always set. Protected servers can call the
Conver tToAutoInheritPrivateObjectSecurity function
to convert a security descriptor and set this flag.
SE_DACL_DEFAULTED Indicates a security descriptor with a default DACL. For

0x0008 example, if the creator an object does not specify a DACL,
the object receives the default DACL from the access token
of the creator. This flag can affect how the system treats the
DACL with respect to ACE inheritance. The system ignores
this flag if the SE_DACL_PRESENT flag is not set.
This flag is used to determine how the final DACL on the
object is to be computed and is not stored physically in the
security descriptor control of the securable object.
To set this flag, use the SetSecurityDescriptorDacl
function.
VA L UE M EA N IN G
SE_DACL_PRESENT Indicates a security descriptor that has a DACL. If this flag is

0x0004 not set, or if this flag is set and the DACL is NULL , the
security descriptor allows full access to everyone.
This flag is used to hold the security information specified by
a caller until the security descriptor is associated with a
securable object. After the security descriptor is associated
with a securable object, the SE_DACL_PRESENT flag is always
set in the security descriptor control.
To set this flag, use the SetSecurityDescriptorDacl
function.
SE_DACL_PROTECTED Prevents the DACL of the security descriptor from being

0x1000 modified by inheritable ACEs. To set this flag, use the
SetSecurityDescriptorControl function.
SE_GROUP_DEFAULTED Indicates that the security identifier (SID) of the security

0x0002 descriptor group was provided by a default mechanism. This
flag can be used by a resource manager to identify objects
whose security descriptor group was set by a default
mechanism. To set this flag, use the
SetSecurityDescriptorGroup function.
SE_OWNER_DEFAULTED Indicates that the SID of the owner of the security descriptor
0x0001 was provided by a default mechanism. This flag can be used
by a resource manager to identify objects whose owner was
set by a default mechanism. To set this flag, use the
SetSecurityDescriptorOwner function.
SE_RM_CONTROL_VALID Indicates that the resource manager control is valid.

0x4000
SE_SACL_AUTO_INHERIT_REQ Indicates a required security descriptor in which the system

0x0200 access control list (SACL) is set up to support automatic
propagation of inheritable ACEs to existing child objects.
The system sets this bit when it performs the automatic
inheritance algorithm for the object and its existing child
objects. To convert a security descriptor and set this flag,
protected servers can call the
Conver tToAutoInheritPrivateObjectSecurity function.
SE_SACL_AUTO_INHERITED Indicates a security descriptor in which the system access

0x0800 control list (SACL) is set up to support automatic
propagation of inheritable ACEs to existing child objects.
The system sets this bit when it performs the automatic
inheritance algorithm for the object and its existing child
objects. To convert a security descriptor and set this flag,
protected servers can call the
Conver tToAutoInheritPrivateObjectSecurity function.
SE_SACL_DEFAULTED A default mechanism, rather than the original provider of the

0x0008 security descriptor, provided the SACL. This flag can affect
how the system treats the SACL, with respect to ACE
inheritance. The system ignores this flag if the
SE_SACL_PRESENT flag is not set. To set this flag, use the
SetSecurityDescriptorSacl function.
SE_SACL_PRESENT Indicates a security descriptor that has a SACL. To set this

0x0010 flag, use the SetSecurityDescriptorSacl function.
VA L UE M EA N IN G
SE_SACL_PROTECTED Prevents the SACL of the security descriptor from being

0x2000 modified by inheritable ACEs. To set this flag, use the
SetSecurityDescriptorControl function.
SE_SELF_RELATIVE Indicates a self-relative security descriptor. If this flag is not

0x8000 set, the security descriptor is in absolute format. For more
information, see Absolute and Self-Relative Security
Descriptors.
Requirements
Header
See also
Conver tToAutoInheritPrivateObjectSecurity
SECURITY_INFORMATION
The SECURITY_INFORMATION data type identifies the object-related security information being set or
queried. This security information includes:
The owner of an object
The primary group of an object
The discretionary access control list (DACL) of an object
The system access control list (SACL) of an object
typedef DWORD SECURITY_INFORMATION, *PSECURITY_INFORMATION;
Remarks
Some SECURITY_INFORMATION members work only with the SetNamedSecurityInfo function. These
members are not returned in the structure returned by other security functions such as
GetNamedSecurityInfo or Conver tStringSecurityDescriptorToSecurityDescriptor .
Each item of security information is designated by a bit flag. Each bit flag can be one of the following values. For
more information, see the SetSecurityAccessMask and Quer ySecurityAccessMask functions.
VA L UE/ RIGH T S REQ UIRED TO Q UERY / SET M EA N IN G
ATTRIBUTE_SECURITY_INFORMATION The resource properties of the object being referenced. The

Right required to query: READ_CONTROL resource properties are stored in
Right required to set: WRITE_DAC SYSTEM_RESOURCE_ATTRIBUTE_ACE types in the SACL of
the security descriptor.
Windows Ser ver 2008 R2, Windows 7, Windows
Ser ver 2008, Windows Vista, Windows Ser ver 2003
and Windows XP: This bit flag is not available.
BACKUP_SECURITY_INFORMATION All parts of the security descriptor. This is useful for backup
Right required to query: READ_CONTROL and and restore software that needs to preserve the entire
ACCESS_SYSTEM_SECURITY security descriptor.
Right required to set: WRITE_DAC and WRITE_OWNER Windows Ser ver 2008 R2, Windows 7, Windows
and ACCESS_SYSTEM_SECURITY Ser ver 2008, Windows Vista, Windows Ser ver 2003
DACL_SECURITY_INFORMATION The DACL of the object is being referenced.

Right required to query: READ_CONTROL
Right required to set: WRITE_DAC
GROUP_SECURITY_INFORMATION The primary group identifier of the object is being

Right required to query: READ_CONTROL referenced.
Right required to set: WRITE_OWNER
VA L UE/ RIGH T S REQ UIRED TO Q UERY / SET M EA N IN G
LABEL_SECURITY_INFORMATION The mandatory integrity label is being referenced.

Right required to query: READ_CONTROL The mandatory integrity label is an ACE in the SACL of the
Right required to set: WRITE_OWNER object.
Windows Ser ver 2003 and Windows XP: This bit flag is
not available.
OWNER_SECURITY_INFORMATION The owner identifier of the object is being referenced.

Right required to query: READ_CONTROL
Right required to set: WRITE_OWNER
PROTECTED_DACL_SECURITY_INFORMATION The DACL cannot inherit access control entries (ACEs).

Right required to query: Not available
PROTECTED_SACL_SECURITY_INFORMATION The SACL cannot inherit ACEs.

Right required to set: ACCESS_SYSTEM_SECURITY
SACL_SECURITY_INFORMATION The SACL of the object is being referenced.

Right required to query: ACCESS_SYSTEM_SECURITY
SCOPE_SECURITY_INFORMATION The Central Access Policy (CAP) identifier applicable on the

Right required to query: READ_CONTROL object that is being referenced. Each CAP identifier is stored
Right required to set: ACCESS_SYSTEM_SECURITY in a SYSTEM_SCOPED_POLICY_ID_ACE type in the SACL of
the SD.
Windows Ser ver 2008 R2, Windows 7, Windows
Ser ver 2008, Windows Vista, Windows Ser ver 2003
UNPROTECTED_DACL_SECURITY_INFORMATION The DACL inherits ACEs from the parent object.

UNPROTECTED_SACL_SECURITY_INFORMATION The SACL inherits ACEs from the parent object.

Requirements
Header
See also
Access Control
Conver tSecurityDescriptorToStringSecurityDescriptor
Conver tStringSecurityDescriptorToSecurityDescriptor
GetFileSecurity
GetSecurityInfo
Quer ySecurityAccessMask
SetFileSecurity
SetSecurityInfo
Authorization Enumerations
The following enumerations are used with authorization applications.
In this section
ACCESS_MODE Contains values that indicate how the access rights in an

EXPLICIT_ACCESS structure apply to the trustee.
ACL_INFORMATION_CL ASS Contains values that specify the type of information being
assigned to or retrieved from an access control list (ACL).
AUDIT_EVENT_TYPE Defines values that indicate the type of object being audited.
The AccessCheckByTypeAndAuditAlarm and
AccessCheckByTypeResultListAndAuditAlarm functions
use these values.
AUDIT_PARAM_TYPE Defines the type of audit parameters that are available.
AUTHZ_CONTEXT_INFORMATION_CL ASS Specifies the type of information to be retrieved from an

existing AuthzClientContext. This enumeration is used by the
AuthzGetInformationFromContext function.
AUTHZ_SECURITY_ATTRIBUTE_OPERATION Indicates the type of modification to be made to security

attributes by a call to the
AuthzModifySecurityAttributes function.
AUTHZ_SID_OPERATION Indicates the type of SID operations that can be made by a

call to the AuthzModifySids function.
AZ_PROP_CONSTANTS Defines constants used by Authorization Manager.
MANDATORY_LEVEL Lists the possible security levels.
MULTIPLE_TRUSTEE_OPERATION Contains values that indicate whether a TRUSTEE structure

is an impersonation trustee.
PROG_INVOKE_SETTING Indicates the initial setting of the function used to track the
progress of a call to the TreeSetNamedSecurityInfo or
TreeResetNamedSecurityInfo function.
SE_OBJECT_TYPE Contains values that correspond to the types of Windows

objects that support security.
SECURITY_IMPERSONATION_LEVEL Contains values that specify security impersonation levels.

Security impersonation levels govern the degree to which a
server process can act on behalf of a client process.
SI_PAGE_TYPE Contains values that indicate the types of property pages in

an access control editor property sheet.
SID_NAME_USE Contains values that specify the type of a security identifier

(SID).
TOKEN_ELEVATION_TYPE Indicates the elevation type of token being queried by the

GetTokenInformation function or set by the
SetTokenInformation function.
TOKEN_INFORMATION_CL ASS Contains values that specify the type of information being
assigned to or retrieved from an access token.
TOKEN_TYPE Contains values that differentiate between a primary token

and an impersonation token.
TRUSTEE_FORM Values that indicate the type of data pointed to by the

ptstrName member of the TRUSTEE structure.
TRUSTEE_TYPE Values that indicate the type of trustee identified by a

TRUSTEE structure.
WELL_KNOWN_SID_TYPE A list of commonly used security identifiers (SIDs). Programs

can pass these values to the CreateWellKnownSid
function to create a SID from this list.
Authorization Functions (Authorization)
The following functions are used with authorization applications.
In this section
AccessCheck Determines whether a security descriptor grants a specified

set of access rights to the client identified by an access
token.
AccessCheckAndAuditAlarm Determines whether a security descriptor grants a specified

set of access rights to the client being impersonated by the
calling thread.
AccessCheckByType Determines whether a security descriptor grants a specified

token.
AccessCheckByTypeAndAuditAlarm Determines whether a security descriptor grants a specified

calling thread.
AccessCheckByTypeResultList Determines whether a security descriptor grants a specified

token.
DeriveCapabilitySidsFromName This function constructs two arrays of SIDs out of a

capability name. One is an array group SID with NT
Authority, and the other is an array of capability SIDs with
AppAuthority.
AccessCheckByTypeResultListAndAuditAlarm Determines whether a security descriptor grants a specified

calling thread.
AccessCheckByTypeResultListAndAuditAlarmByHandl Determines whether a security descriptor grants a specified

e set of access rights to the client that the calling thread is
impersonating.
AddAccessAllowedAce Adds an access-allowed access control entry (ACE) to an

access control list (ACL). The access is granted to a specified
security identifier (SID).
AddAccessAllowedAceEx Adds an access-allowed access control entry (ACE) to the

end of a discretionary access control list (DACL).
AddAccessAllowedObjectAce Adds an access-allowed access control entry (ACE) to the

end of a discretionary access control list (DACL).
AddAccessDeniedAce Adds an access-denied access control entry (ACE) to an

access control list (ACL). The access is denied to a specified
security identifier (SID).
AddAccessDeniedAceEx Adds an access-denied access control entry (ACE) to the end

of a discretionary access control list (DACL).
AddAccessDeniedObjectAce Adds an access-denied access control entry (ACE) to the end

of a discretionary access control list (DACL). The new ACE
can deny access to an object, or to a property set or
property on an object.
AddAce Adds one or more access control entries (ACEs) to a specified

access control list (ACL).
AddAuditAccessAce Adds a system-audit access control entry (ACE) to a system

access control list (ACL). The access of a specified security
identifier (SID) is audited.
AddAuditAccessAceEx Adds a system-audit access control entry (ACE) to the end

of a system access control list (SACL).
AddAuditAccessObjectAce Adds a system-audit access control entry (ACE) to the end

of a system access control list (SACL).
AddConditionalAce Adds a conditional access control entry (ACE) to the

specified access control list (ACL).
AddMandator yAce Adds a SYSTEM_MANDATORY_L ABEL_ACE access

control entry (ACE) to the specified system access control list
(SACL).
AddResourceAttributeAce Adds a SYSTEM_RESOURCE_ATTRIBUTE_ACE access

control entry (ACE) to the end of a system access control list
(SACL).
AddScopedPolicyIDAce Adds a SYSTEM_SCOPED_POLICY_ID_ACE access control

entry (ACE) to the end of a system access control list (SACL).
AdjustTokenGroups Enables or disables groups already present in the specified

access token. Access to TOKEN_ADJUST_GROUPS is required
to enable or disable groups in an access token.
AdjustTokenPrivileges Enables or disables privileges in the specified access token.

Enabling or disabling privileges in an access token requires
TOKEN_ADJUST_PRIVILEGES access.
AllocateAndInitializeSid Allocates and initializes a security identifier (SID) with up to

eight subauthorities.
AllocateLocallyUniqueId Allocates a locally unique identifier (LUID).
AreAllAccessesGranted Checks whether a set of requested access rights has been

granted. The access rights are represented as bit flags in an
access mask.
AreAnyAccessesGranted Tests whether any of a set of requested access rights has

been granted. The access rights are represented as bit flags
in an access mask.
AuditComputeEffectivePolicyBySid Computes the effective audit policy for one or more

subcategories for the specified security principal. The
function computes effective audit policy by combining
system audit policy with per-user policy.
AuditComputeEffectivePolicyByToken Computes the effective audit policy for one or more

subcategories for the security principal associated with the
specified token. The function computes effective audit policy
by combining system audit policy with per-user policy.
AuditEnumerateCategories Enumerates the available audit-policy categories.
AuditEnumeratePerUserPolicy Enumerates users for whom per-user auditing policy is

specified.
AuditEnumerateSubCategories Enumerates the available audit-policy subcategories.
AuditFree Frees the memory allocated by audit functions for the

specified buffer.
AuditLookupCategor yGuidFromCategor yId Retrieves a GUID structure that represents the specified
audit-policy category.
AuditLookupCategor yIdFromCategor yGuid Retrieves an element of the POLICY_AUDIT_EVENT_TYPE

enumeration that represents the specified audit-policy
category.
AuditLookupCategor yName Retrieves the display name of the specified audit-policy

category.
AuditLookupSubCategor yName Retrieves the display name of the specified audit-policy

subcategory.
AuditQuer yGlobalSacl retrieves a global system access control list (SACL) that
delegates access to the audit messages.
AuditQuer yPerUserPolicy Retrieves per-user audit policy in one or more audit-policy

subcategories for the specified principal.
AuditQuer ySecurity Retrieves security descriptor that delegates access to audit

policy.
AuditQuer ySystemPolicy Retrieves system audit policy for one or more audit-policy
subcategories.
AuditSetGlobalSacl sets a global system access control list (SACL) that delegates
access to the audit messages.
AuditSetPerUserPolicy Sets per-user audit policy in one or more audit subcategories

for the specified principal.
AuditSetSecurity Sets a security descriptor that delegates access to audit

policy.
AuditSetSystemPolicy Sets system audit policy for one or more audit-policy

subcategories.
AuthzAccessCheck Determines which access bits can be granted to a client for a

given set of security descriptors.
AuthzAccessCheckCallback An application-defined function that handles callback access

control entries (ACEs) during an access check.
AuthzAccessCheckCallback is a placeholder for the
application-defined function name. The application registers
this callback by calling AuthzInitializeResourceManager .
AuthzAddSidsToContext Creates a copy of an existing context and appends a given

set of security identifiers (SIDs) and restricted SIDs.
AuthzCachedAccessCheck Performs a fast access check based on a cached handle

containing the static granted bits from a previous
AuthzAccessCheck call.
AuthzComputeGroupsCallback An application-defined function that creates a list of security

identifiers (SIDs) that apply to a client.
AuthzComputeGroupsCallback is a placeholder for the
application-defined function name.
AuthzEnumerateSecurityEventSources Retrieves the registered security event sources that are not
installed by default.
AuthzFreeAuditEvent Frees the structure allocated by the

AuthzInitializeObjectAccessAuditEvent function.
AuthzFreeCentralAccessPolicyCache Decreases the CAP cache reference count by one so that the
CAP cache can be deallocated.
AuthzFreeCentralAccessPolicyCallback The AuthzFreeCentralAccessPolicyCallback function is an

application-defined function that frees memory allocated by
the AuthzGetCentralAccessPolicyCallback function.
AuthzFreeCentralAccessPolicyCallback is a placeholder for
the application-defined function name.
AuthzFreeContext Frees all structures and memory associated with the client
context. The list of handles for a client is freed in this call.
AuthzFreeGroupsCallback An application-defined function that frees memory allocated

by the AuthzComputeGroupsCallback function.
AuthzFreeGroupsCallback is a placeholder for the
application-defined function name.
AuthzFreeHandle Finds and deletes a handle from the handle list.
AuthzFreeResourceManager Frees a resource manager object.
AuthzGetCentralAccessPolicyCallback The AuthzGetCentralAccessPolicyCallback function is an

application-defined function that retrieves the central access
policy. AuthzGetCentralAccessPolicyCallback is a placeholder
for the application-defined function name.
AuthzGetInformationFromContext Returns information about an Authz context.
AuthzInitializeCompoundContext creates a user-mode context from the given user and device
security contexts.
AuthzInitializeContextFromAuthzContext Creates a new client context based on an existing client

context.
AuthzInitializeContextFromSid Creates a user-mode client context from a user security

identifier (SID).
AuthzInitializeContextFromToken Initializes a client authorization context from a kernel token.

The kernel token must have been opened for TOKEN_QUERY.
AuthzInitializeObjectAccessAuditEvent Initializes auditing for an object.
AuthzInitializeObjectAccessAuditEvent2 Allocates and initializes an

AUTHZ_AUDIT_EVENT_HANDLE handle for use with the
AuthzAccessCheck function.
AuthzInitializeRemoteResourceManager Allocates and initializes a remote resource manager. The

caller can use the resulting handle to make RPC calls to a
remote instance of the resource manager configured on a
server.
AuthzInitializeResourceManager Uses Authz to verify that clients have access to various

resources.
AuthzInitializeResourceManagerEx Allocates and initializes a resource manager structure.
AuthzInstallSecurityEventSource Installs the specified source as a security event source.
AuthzModifyClaims Adds, deletes, or modifies user and device claims in the

Authz client context.
AuthzModifySecurityAttributes Modifies the security attribute information in the specified

client context.
AuthzModifySids Adds, deletes, or modifies user and device groups in the

Authz client context.
AuthzOpenObjectAudit Reads the system access control list (SACL) of the specified
security descriptor and generates any appropriate audits
specified by that SACL.
AuthzRegisterCapChangeNotification Registers a CAP update notification callback.
AuthzRegisterSecurityEventSource Registers a security event source with the Local Security

Authority (LSA).
AuthzRepor tSecurityEvent Generates a security audit for a registered security event

source.
AuthzRepor tSecurityEventFromParams Generates a security audit for a registered security event

source by using the specified array of audit parameters.
AuthzSetAppContainerInformation Sets the app container and capability information in a

current Authz context.
AuthzUninstallSecurityEventSource Removes the specified source from the list of valid security
event sources.
AuthzUnregisterCapChangeNotification Removes a previously registered CAP update notification

callback.
AuthzUnregisterSecurityEventSource Unregisters a security event source with the Local Security

Authority (LSA).
BuildExplicitAccessWithName Initializes an EXPLICIT_ACCESS structure with data

specified by the caller. The trustee is identified by a name
string.
BuildImpersonateExplicitAccessWithName The BuildImpersonateExplicitAccessWithName function

is not supported.
BuildImpersonateTrustee The BuildImpersonateTrustee function is not supported.
BuildSecurityDescriptor Allocates and initializes a new security descriptor.
BuildTrusteeWithName Initializes a TRUSTEE structure. The caller specifies the

trustee name. The function sets other members of the
structure to default values.
BuildTrusteeWithObjectsAndName Initializes a TRUSTEE structure with the object-specific

access control entry (ACE) information and initializes the
remaining members of the structure to default values. The
caller also specifies the name of the trustee.
BuildTrusteeWithObjectsAndSid Initializes a TRUSTEE structure with the object-specific

access control entry (ACE) information and initializes the
remaining members of the structure to default values. The
caller also specifies the SID structure that represents the
security identifier of the trustee.
BuildTrusteeWithSid Initializes a TRUSTEE structure. The caller specifies the

security identifier (SID) of the trustee. The function sets other
members of the structure to default values and does not
look up the name associated with the SID.
CheckTokenCapability Checks the capabilities of a given token.
CheckTokenMembership Determines whether a specified security identifier (SID) is

enabled in an access token.
CheckTokenMembershipEx Determines whether the specified SID is enabled in the

specified token.
Conver tSecurityDescriptorToStringSecurityDescriptor Converts a security descriptor to a string format. You can

use the string format to store or transmit the security
descriptor.
Conver tSidToStringSid Converts a security identifier (SID) to a string format suitable

for display, storage, or transmission.
Conver tStringSecurityDescriptorToSecurityDescriptor Converts a string-format security descriptor into a valid,

functional security descriptor.
Conver tStringSidToSid Converts a string-format security identifier (SID) into a valid,

functional SID. You can use this function to retrieve a SID
that the Conver tSidToStringSid function converted to
string format.
Conver tToAutoInheritPrivateObjectSecurity Converts a security descriptor and its access control lists
(ACLs) to a format that supports automatic propagation of
inheritable access control entries (ACEs).
CopySid Copies a security identifier (SID) to a buffer.
CreatePrivateObjectSecurity Allocates and initializes a self-relative security descriptor for a

new private object. A protected server calls this function
when it creates a new private object.
CreatePrivateObjectSecurityEx Allocates and initializes a self-relative security descriptor for a

new private object created by the resource manager calling
this function.
CreatePrivateObjectSecurityWithMultipleInheritance Allocates and initializes a self-relative security descriptor for a

new private object created by the resource manager calling
this function.
CreateRestrictedToken Creates a new access token that is a restricted version of an

existing access token. The restricted token can have disabled
security identifiers (SIDs), deleted privileges, and a list of
restricting SIDs.
CreateSecurityPage Creates a basic security property page that enables the user
to view and edit the access rights allowed or denied by the
access control entries (ACEs) in an object's discretionary
access control list (DACL).
CreateWellKnownSid Creates a SID for predefined aliases.
DeleteAce Deletes an access control entry (ACE) from an access control

list (ACL).
DestroyPrivateObjectSecurity Deletes a private object's security descriptor.
DSCreateSecurityPage Creates a security property page for an Active Directory

object.
DSCreateISecurityInfoObject Creates an instance of the ISecurityInformation interface

associated with the specified directory service (DS) object.
DSCreateISecurityInfoObjectEx Creates an instance of the ISecurityInformation interface

associated with the specified directory service (DS) object on
the specified server.
DSEditSecurity Displays a modal dialog box for editing security on a

Directory Services (DS) object.
DuplicateToken Creates a new access token that duplicates one already in

existence.
DuplicateTokenEx Creates a new access token that duplicates an existing token.

This function can create either a primary token or an
impersonation token.
EditSecurity Displays a property sheet that contains a basic security

property page. This property page enables the user to view
and edit the access rights allowed or denied by the ACEs in
an object's DACL.
EditSecurityAdvanced Extends the EditSecurity function to include the security

page type when displaying the property sheet that contains
a basic security property page.
EqualDomainSid Determines whether two SIDs are from the same domain.
EqualPrefixSid Tests two security-identifier (SID) prefix values for equality. A

SID prefix is the entire SID except for the last subauthority
value.
EqualSid Tests two security identifier (SID) values for equality. Two
SIDs must match exactly to be considered equal.
FindFirstFreeAce Retrieves a pointer to the first free byte in an access control

list (ACL).
FreeInheritedFromArray Frees memory allocated by the GetInheritanceSource

function.
FreeSid Frees a security identifier (SID) previously allocated by using

the AllocateAndInitializeSid function.
GetAce Obtains a pointer to an access control entry (ACE) in an

access control list (ACL).
GetAclInformation Retrieves information about an access control list (ACL).
GetAppContainerNamedObjectPath Retrieves the named object path for the app container.
GetAuditedPermissionsFromAcl Retrieves the audited access rights for a specified trustee.
GetCurrentProcessToken Retrieves a pseudo-handle that you can use as a shorthand

way to refer to the access token associated with a process.
GetCurrentThreadEffectiveToken Retrieves a pseudo-handle that you can use as a shorthand

way to refer to the token that is currently in effect for the
thread, which is the thread token if one exists and the
process token otherwise.
GetCurrentThreadToken Retrieves a pseudo-handle that you can use as a shorthand

way to refer to the impersonation token that was assigned
to the current thread.
GetEffectiveRightsFromAcl Retrieves the effective access rights that an ACL structure

grants to a specified trustee. The trustee's effective access
rights are the access rights that the ACL grants to the
trustee or to any groups of which the trustee is a member.
GetExplicitEntriesFromAcl Retrieves an array of structures that describe the access

control entries (ACEs) in an access control list (ACL).
GetFileSecurity Obtains specified information about the security of a file or

directory. The information obtained is constrained by the
caller's access rights and privileges.
GetInheritanceSource Returns information about the source of inherited access

control entries (ACEs) in an access control list (ACL).
GetKernelObjectSecurity Retrieves a copy of the security descriptor that protects a

kernel object.
GetLengthSid Returns the length, in bytes, of a valid security identifier

(SID).
GetMultipleTrustee The GetMultipleTrustee function is not supported.
GetMultipleTrusteeOperation The GetMultipleTrusteeOperation function is not supported.
GetNamedSecurityInfo Retrieves a copy of the security descriptor for an object

specified by name.
GetPrivateObjectSecurity Retrieves information from a private object's security

descriptor.
GetSecurityDescriptorControl Retrieves a security descriptor control and revision

information.
GetSecurityDescriptorDacl Retrieves a pointer to the discretionary access control list

(DACL) in a specified security descriptor.
GetSecurityDescriptorGroup Retrieves the primary group information from a security

descriptor.
GetSecurityDescriptorLength Returns the length, in bytes, of a structurally valid security

descriptor. The length includes the length of all associated
structures.
GetSecurityDescriptorOwner Retrieves the owner information from a security descriptor.
GetSecurityDescriptorRMControl Retrieves the resource manager control bits.
GetSecurityDescriptorSacl Retrieves a pointer to the system access control list (SACL) in

a specified security descriptor.
GetSecurityInfo Retrieves a copy of the security descriptor for an object

specified by a handle.
GetSidIdentifierAuthority Returns a pointer to the SID_IDENTIFIER_AUTHORITY

structure in a specified security identifier (SID).
GetSidLengthRequired Returns the length, in bytes, of the buffer required to store a

SID with a specified number of subauthorities.
GetSidSubAuthority Returns a pointer to a specified subauthority in a security

identifier (SID). The subauthority value is a relative identifier
(RID).
GetSidSubAuthorityCount Returns a pointer to the member in a security identifier (SID)

structure that contains the subauthority count.
GetTokenInformation Retrieves a specified type of information about an access

token. The calling process must have appropriate access
rights to obtain the information.
GetTrusteeForm Retrieves the trustee name from the specified TRUSTEE

structure. This value indicates whether the structure uses a
name string or a security identifier (SID) to identify the
trustee.
GetTrusteeName Retrieves the trustee name from the specified TRUSTEE

structure.
GetTrusteeType Retrieves the trustee type from the specified TRUSTEE

structure. This value indicates whether the trustee is a user, a
group, or the trustee type is unknown.
GetUserObjectSecurity Retrieves security information for the specified user object.
GetWindowsAccountDomainSid Receives a security identifier (SID) and returns a SID

representing the domain of that SID.
ImpersonateAnonymousToken Enables the specified thread to impersonate the system's

anonymous logon token.
ImpersonateLoggedOnUser Lets the calling thread impersonate the security context of a

logged-on user. The user is represented by a token handle.
ImpersonateNamedPipeClient Impersonates a named-pipe client application.
ImpersonateSelf Obtains an access token that impersonates the security

context of the calling process. The token is assigned to the
calling thread.
InitializeAcl Initializes a new ACL structure.
InitializeSecurityDescriptor Initializes a new security descriptor.
InitializeSid Initializes a security identifier (SID).
IsTokenRestricted Indicates whether a token contains a list of restricted

security identifiers (SIDs).
IsValidAcl Validates an access control list (ACL).
IsValidSecurityDescriptor Determines whether the components of a security descriptor

are valid.
IsValidSid Validates a security identifier (SID) by verifying that the

revision number is within a known range, and that the
number of subauthorities is less than the maximum.
IsWellKnownSid Compares a SID to a well-known SID and returns TRUE if

they match.
LookupAccountName Accepts the name of a system and an account as input. It

retrieves a security identifier (SID) for the account and the
name of the domain on which the account was found.
LookupAccountSid Accepts a security identifier (SID) as input. It retrieves the

name of the account for this SID and the name of the first
domain on which this SID is found.
LookupAccountSidLocal Retrieves the name of the account for the specified SID on
the local machine.
LookupPrivilegeDisplayName Retrieves the display name that represents a specified

privilege.
LookupPrivilegeName Retrieves the name that corresponds to the privilege

represented on a specific system by a specified locally unique
identifier (LUID).
LookupPrivilegeValue Retrieves the locally unique identifier (LUID) used on a

specified system to locally represent the specified privilege
name.
LookupSecurityDescriptorPar ts Retrieves security information from a self-relative security

descriptor.
MakeAbsoluteSD Creates a security descriptor in absolute format by using a

security descriptor in self-relative format as a template.
MakeSelfRelativeSD Creates a security descriptor in self-relative format by using

a security descriptor in absolute format as a template.
MapGenericMask Maps the generic access rights in an access mask to specific

and standard access rights. The function applies a mapping
supplied in a GENERIC_MAPPING structure.
NtCompareTokens Compares two access tokens and determines whether they

are equivalent with respect to a call to the AccessCheck
function.
ObjectCloseAuditAlarm Generates an audit message in the security event log when a

handle to a private object is deleted.
ObjectDeleteAuditAlarm Generates audit messages when an object is deleted.
ObjectOpenAuditAlarm Generates audit messages when a client application

attempts to gain access to an object or to create a new one.
ObjectPrivilegeAuditAlarm Generates an audit message in the security event log.
OpenProcessToken Opens the access token associated with a process.
OpenThreadToken Opens the access token associated with a thread.
PrivilegeCheck Determines whether a specified set of privileges are enabled

in an access token.
PrivilegedSer viceAuditAlarm Generates an audit message in the security event log.
Quer ySecurityAccessMask Creates an access mask that represents the access

permissions necessary to query the specified object security
information.
Quer ySer viceObjectSecurity Retrieves a copy of the security descriptor associated with a
service object.
RegGetKeySecurity Retrieves a copy of the security descriptor protecting the

specified open registry key.
RegSetKeySecurity Sets the security of an open registry key.
Rever tToSelf Terminates the impersonation of a client application.
RtlConver tSidToUnicodeString Converts a security identifier (SID) to its Unicode character

representation.
SetAclInformation Sets information about an access control list (ACL).

SetEntriesInAcl Creates a new access control list (ACL) by merging new

access control or audit control information into an existing
ACL structure.
SetFileSecurity Sets the security of a file or directory object.
SetKernelObjectSecurity Sets the security of a kernel object.
SetNamedSecurityInfo Sets specified security information in the security descriptor

of a specified object.
SetPrivateObjectSecurity Modifies a private object's security descriptor.
SetPrivateObjectSecurityEx Modifies the security descriptor of a private object

maintained by the resource manager calling this function.
SetSecurityAccessMask Creates an access mask that represents the access

permissions necessary to set the specified object security
information.
SetSecurityDescriptorControl Sets the control bits of a security descriptor. The function

can set only the control bits that relate to automatic
inheritance of ACEs.
SetSecurityDescriptorDacl Sets information in a discretionary access control list (DACL).

If a DACL is already present in the security descriptor, the
DACL is replaced.
SetSecurityDescriptorGroup Sets the primary group information of an absolute-format

security descriptor, replacing any primary group information
already present in the security descriptor.
SetSecurityDescriptorOwner Sets the owner information of an absolute-format security

descriptor. It replaces any owner information already present
in the security descriptor.
SetSecurityDescriptorRMControl Sets the resource manager control bits in the

SECURITY_DESCRIPTOR structure.
SetSecurityDescriptorSacl Sets information in a system access control list (SACL). If

there is already a SACL present in the security descriptor, it
is replaced.
SetSecurityInfo Sets specified security information in the security descriptor

of a specified object. The caller identifies the object by a
handle.
SetSer viceObjectSecurity Sets the security descriptor of a service object.
SetThreadToken Assigns an impersonation token to a thread. The function

can also cause a thread to stop using an impersonation
token.
SetTokenInformation Sets various types of information for a specified access

token.
SetUserObjectSecurity Sets the security of a user object. This can be, for example, a
window or a DDE conversation.
TreeResetNamedSecurityInfo Resets specified security information in the security

descriptor of a specified tree of objects.
TreeSetNamedSecurityInfo Sets specified security information in the security descriptor

of a specified tree of objects.
Authorization functions are categorized according to usage as follows.

Basic Access Control Functions
Access Control Editor Functions
Client/Server Access Control Functions
Low-level Access Control Functions
Audit Policy Functions

The following functions are used with access tokens.
AccessCheck
AccessCheckByType
AccessCheckByTypeResultList
AdjustTokenGroups
AdjustTokenPrivileges
AllocateAndInitializeSid
AllocateLocallyUniqueId
AuthzAccessCheck
AuthzAccessCheckCallback
AuthzEnumerateSecurityEventSources
AuthzFreeAuditEvent
AuthzFreeContext
AuthzFreeGroupsCallback
AuthzFreeHandle
AuthzFreeResourceManager
AuthzGetInformationFromContext
AuthzInitializeObjectAccessAuditEvent
AuthzInitializeObjectAccessAuditEvent2
AuthzInstallSecurityEventSource
AuthzOpenObjectAudit
AuthzRegisterSecurityEventSource
AuthzRepor tSecurityEvent
AuthzRepor tSecurityEventFromParams
AuthzUninstallSecurityEventSource
AuthzUnregisterSecurityEventSource
BuildExplicitAccessWithName
BuildImpersonateExplicitAccessWithName
BuildImpersonateTrustee
BuildTrusteeWithName
BuildTrusteeWithObjectsAndName
BuildTrusteeWithObjectsAndSid
BuildTrusteeWithSid
CheckTokenMembership
Conver tSecurityDescriptorToStringSecurityDescriptor
Conver tSidToStringSid
Conver tStringSecurityDescriptorToSecurityDescriptor
Conver tStringSidToSid
CopySid
CreateRestrictedToken
CreateWellKnownSid
DuplicateToken
DuplicateTokenEx
EqualDomainSid
EqualPrefixSid
EqualSid
FreeSid
GetAuditedPermissionsFromAcl
GetEffectiveRightsFromAcl
GetExplicitEntriesFromAcl
GetLengthSid
GetMultipleTrustee
GetMultipleTrusteeOperation
GetSecurityInfo
GetSidIdentifierAuthority
GetSidLengthRequired
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
GetTrusteeForm
GetTrusteeName
GetTrusteeType
GetWindowsAccountDomainSid
InitializeSid
IsTokenRestricted
IsValidSid
IsWellKnownSid
LookupAccountName
LookupAccountSid
LookupAccountSidLocal
LookupPrivilegeDisplayName
LookupPrivilegeName
LookupPrivilegeValue
NtCompareTokens
OpenProcessToken
OpenThreadToken
Quer ySecurityAccessMask
RtlConver tSidToUnicodeString
SetEntriesInAcl
SetSecurityInfo
SetThreadToken
SetTokenInformation
Access Control Editor Functions

The following functions are used with the access control editor.
CreateSecurityPage
DSCreateSecurityPage
EditSecurity
Client/Server Access Control Functions

The following functions are used by servers to impersonate clients.
AreAllAccessesGranted
AreAnyAccessesGranted
BuildSecurityDescriptor
Conver tToAutoInheritPrivateObjectSecurity
CreatePrivateObjectSecurity
CreatePrivateObjectSecurityEx
CreatePrivateObjectSecurityWithMultipleInheritance
CreateProcessAsUser
CreateProcessWithLogonW
DestroyPrivateObjectSecurity
ImpersonateAnonymousToken
ImpersonateLoggedOnUser
ImpersonateNamedPipeClient
ImpersonateSelf
LookupSecurityDescriptorPar ts
MapGenericMask
ObjectCloseAuditAlarm
ObjectDeleteAuditAlarm
ObjectOpenAuditAlarm
ObjectPrivilegeAuditAlarm
PrivilegeCheck
PrivilegedSer viceAuditAlarm
Rever tToSelf
SetPrivateObjectSecurityEx
SetSecurityDescriptorRMControl
Low-level Access Control Functions

The following low-level functions are used to manipulate security descriptors.
AccessCheckAndAuditAlarm
AccessCheckByTypeAndAuditAlarm
AccessCheckByTypeResultListAndAuditAlarm
AccessCheckByTypeResultListAndAuditAlarmByHandle
AddAccessAllowedAce
AddAccessAllowedAceEx
AddAccessAllowedObjectAce
AddAccessDeniedAce
AddAccessDeniedAceEx
AddAccessDeniedObjectAce
AddAce
AddAuditAccessAce
AddAuditAccessAceEx
AddAuditAccessObjectAce
AddMandator yAce
DeleteAce
FindFirstFreeAce
FreeInheritedFromArray
GetAce
GetAclInformation
GetFileSecurity
GetInheritanceSource
GetSecurityDescriptorLength
InitializeAcl
InitializeSecurityDescriptor
IsValidAcl
IsValidSecurityDescriptor
MakeAbsoluteSD
MakeSelfRelativeSD
NetShareGetInfo
NetShareSetInfo
Quer ySer viceObjectSecurity
RegGetKeySecurity
RegSetKeySecurity
SetAclInformation
SetFileSecurity
SetSer viceObjectSecurity
Audit Policy Functions

AuditComputeEffectivePolicyBySid
AuditComputeEffectivePolicyByToken
AuditEnumerateCategories
AuditEnumeratePerUserPolicy
AuditEnumerateSubCategories
AuditFree
AuditLookupCategor yGuidFromCategor yId
AuditLookupCategor yIdFromCategor yGuid
AuditLookupCategor yName
AuditLookupSubCategor yName
AuditQuer yPerUserPolicy
AuditQuer ySystemPolicy
AuditSetPerUserPolicy
AuditSetSystemPolicy
AuthzAccessCheckCallback callback function
The AuthzAccessCheckCallback function is an application-defined function that handles callback access

control entries (ACEs) during an access check. AuthzAccessCheckCallback is a placeholder for the
application-defined function name. The application registers this callback by calling
AuthzInitializeResourceManager .
Syntax
BOOL CALLBACK AuthzAccessCheckCallback(
_In_ AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
_In_ PACE_HEADER pAce,
_In_opt_ PVOID pArgs,
_Inout_ PBOOL pbAceApplicable
);
Parameters
hAuthzClientContext [in]
A handle to a client context.
pAce [in]
A pointer to the ACE to evaluate for inclusion in the call to the AuthzAccessCheck function.
pArgs [in, optional]
Data passed in the DynamicGroupArgs parameter of the call to AuthzAccessCheck or
AuthzCachedAccessCheck .
pbAceApplicable [in, out]
A pointer to a Boolean variable that receives the results of the evaluation of the logic defined by the application.
The results are TRUE if the logic determines that the ACE is applicable and will be included in the call to
AuthzAccessCheck ; otherwise, the results are FALSE .
Return value
If the function succeeds, the function returns TRUE .
If the function is unable to perform the evaluation, it returns FALSE . Use SetLastError to return an error to the
access check function.
Remarks
Security attribute variables must be present in the client context if referred to in a conditional expression,
otherwise the conditional expression term referencing them will evaluate to unknown.
For more information, see the How AccessCheck Works and Centralized Authorization Policy overviews.
Requirements
Redistributable Windows Server 2003 Administration Tools Pack on

Windows XP
See also
AuthzAccessCheck
AuthzComputeGroupsCallback callback function
The AuthzComputeGroupsCallback function is an application-defined function that creates a list of security

identifiers (SIDs) that apply to a client. AuthzComputeGroupsCallback is a placeholder for the application-
defined function name.
Syntax
BOOL CALLBACK AuthzComputeGroupsCallback(
_In_ PVOID Args,
_Out_ PSID_AND_ATTRIBUTES *pSidAttrArray,
_Out_ PDWORD pSidCount,
_Out_ PSID_AND_ATTRIBUTES *pRestrictedSidAttrArray,
_Out_ PDWORD pRestrictedSidCount
);
Parameters
A handle to a client context.
Args [in]
Data passed in the DynamicGroupArgs parameter of a call to the AuthzInitializeContextFromAuthzContext ,
AuthzInitializeContextFromSid , or AuthzInitializeContextFromToken function.
pSidAttrArray [out]
A pointer to a pointer variable that receives the address of an array of SID_AND_ATTRIBUTES structures.
These structures represent the groups to which the client belongs.
pSidCount [out]
The number of structures in pSidAttrArray.
pRestrictedSidAttrArray [out]
A pointer to a pointer variable that receives the address of an array of SID_AND_ATTRIBUTES structures.
These structures represent the groups from which the client is restricted.
pRestrictedSidCount [out]
The number of structures in pSidRestrictedAttrArray.
Return value
If the function successfully returns a list of SIDs, the return value is TRUE .
If the function fails, the return value is FALSE .
Remarks
Applications can also add SIDs to the client context by calling AuthzAddSidsToContext .
Requirements

Windows XP
See also
SID_AND_ATTRIBUTES
AuthzFreeCentralAccessPolicyCallback callback
function
The AuthzFreeCentralAccessPolicyCallback function is an application-defined function that frees memory

allocated by the AuthzGetCentralAccessPolicyCallback function. AuthzFreeCentralAccessPolicyCallback is a
placeholder for the application-defined function name.
Syntax
BOOL CALLBACK AuthzFreeCentralAccessPolicyCallback(
_In_ PVOID pCentralAccessPolicy
);
Parameters
pCentralAccessPolicy [in]
Pointer to the central access policy to be freed.
Return value
See also
AUTHZ_INIT_INFO
AuthzGetCentralAccessPolicyCallback
AuthzFreeGroupsCallback callback function
The AuthzFreeGroupsCallback function is an application-defined function that frees memory allocated by the
AuthzComputeGroupsCallback function. AuthzFreeGroupsCallback is a placeholder for the application-
defined function name.
Syntax
void CALLBACK AuthzFreeGroupsCallback(
_In_ PSID_AND_ATTRIBUTES pSidAttrArray
);
Parameters
pSidAttrArray [in]
A pointer to memory allocated by AuthzComputeGroupsCallback .
Return value
This callback function does not return a value.
Remarks
Requirements

Windows XP
See also
AuthzGetCentralAccessPolicyCallback callback
function
The AuthzGetCentralAccessPolicyCallback function is an application-defined function that retrieves the central

access policy. AuthzGetCentralAccessPolicyCallback is a placeholder for the application-defined function name.
Syntax
BOOL CALLBACK AuthzGetCentralAccessPolicyCallback (
_In_ PSID capid,
_In_opt_ PVOID pArgs,
_Out_ PBOOL pCentralAccessPolicyApplicable,
_Out_ PVOID ppCentralAccessPolicy
);
Parameters
Handle to the client context.
capid [in]
ID of the central access policy to retrieve.
pArgs [in, optional]
Optional arguments that were passed to the AuthzAccessCheck function through the OptionalArguments
member of the AUTHZ_ACCESS_REQUEST structure.
pCentralAccessPolicyApplicable [out]
Pointer to a Boolean value that the resource manager uses to indicate whether a central access policy should be
used during access evaluation.
ppCentralAccessPolicy [out]
Pointer to the central access policy (CAP) to be used for evaluating access. If this value is NULL , the default CAP
is applied.
Return value
Requirements

Windows XP
See also
AUTHZ_INIT_INFO
AuthzAccessCheck
BuildImpersonateExplicitAccessWithName function
This function is not supported.

BuildImpersonateTrustee function

GetMultipleTrustee function

GetMultipleTrusteeOperation function

NtCompareTokens function
The NtCompareTokens function compares two access tokens and determines whether they are equivalent
with respect to a call to the AccessCheck function.
Syntax
NTSTATUS NTAPI NtCompareTokens(
_In_ HANDLE FirstTokenHandle,
_In_ HANDLE SecondTokenHandle,
_Out_ PBOOLEAN Equal
);
Parameters
FirstTokenHandle [in]
A handle to the first access token to compare. The token must be open for TOKEN_QUERY access.
SecondTokenHandle [in]
A handle to the second access token to compare. The token must be open for TOKEN_QUERY access.
Equal [out]
A pointer to a variable that receives a value that indicates whether the tokens represented by the
FirstTokenHandle and SecondTokenHandle parameters are equivalent.
Return value
If the function succeeds, the function returns STATUS_SUCCESS.
If the function fails, it returns an NTSTATUS error code.
Remarks
Two access control tokens are considered to be equivalent if all of the following conditions are true:
Every security identifier (SID) that is present in either token is also present in the other token.
Neither or both of the tokens are restricted.
If both tokens are restricted, every SID that is restricted in one token is also restricted in the other token.
Every privilege present in either token is also present in the other token.
This function has no associated import library or header file; you must call it using the LoadLibrar y and
GetProcAddress functions.
Requirements
Header
Ntseapi.h
DLL
Ntdll.dll
The following interfaces are used with authorization applications.
In this section
IAzApplication Defines an installed instance of an application. An

IAzApplication object is created when an application is
installed.
IAzApplication2 Inherits from the IAzApplication interface and implements

additional methods to initialize IAzClientContext2 objects.
IAzApplication3 Provides methods to manage IAzRoleAssignment ,

IAzRoleDefinition , and IAzScope2 objects.
IAzApplications Represents a collection of IAzApplication objects.
IAzApplicationGroup Defines a collection of principals.
IAzApplicationGroup2 Extends the IAzApplicationGroup interface by adding

support for the BizRule group type.
IAzApplicationGroups Represents a collection of IAzApplicationGroup objects.
IAzAuthorizationStore Defines the container that is the root of the authorization

policy store.
IAzAuthorizationStore2 Inherits from the AzAuthorizationStore object and

implements methods to create and open IAzApplication2
objects.
IAzAuthorizationStore3 Extends the IAzAuthorizationStore2 interface with

methods that manage business rule (BizRule) support and
caching.
IAzBizRuleContext Contains information about a Business Rule (BizRule)

operation.
IAzBizRuleInterfaces Provides methods and properties used to manage a list of

IDispatch interfaces that can be called by business rule
(BizRule) scripts.
IAzBizRuleParameters Provides methods and properties used to manage a list of

parameters that can be passed to business rule (BizRule)
scripts.
IAzClientContext Maintains the state that describes a particular client.

IAzClientContext2 Inherits from the IAzClientContext interface and

implements new methods that manipulate the client context.
IAzClientContext3 Extends the IAzClientContext2 interface.
IAzNameResolver Translates security identifiers (SIDs) into principal display

names.
IAzObjectPicker Displays a dialog box that allows users to select one or more
principals from a list.
IAzOperation Defines a low-level operation supported by an application.
IAzOperation2 Extends the IAzOperation with a method that returns the

role assignments associated with the operation.
IAzOperations Represents a collection of IAzOperation objects.
IAzPrincipalLocator Locates and chooses Active Directory Application Mode

(ADAM) principals in Authorization Manager.
IAzRole Defines the set of operations that can be performed by a set

of users within a scope.
IAzRoleAssignment Represents a role to which users and groups can be

assigned.
IAzRoleAssignments Represents a collection of IAzRoleAssignment objects.
IAzRoleDefinition Represents one or more IAzRoleDefinition , IAzTask , and

IAzOperation objects that specify a set of operations.
IAzRoleDefinitions Represents a collection of IAzRoleDefinition objects.
IAzRoles Represents a collection of IAzRole objects.
IAzScope Defines a logical container of resources to which the

application manages access.
IAzScope2 Extends the IAzScope interface to manage

IAzRoleAssignment and IAzRoleDefinition objects.
IAzScopes Represents a collection of IAzScope objects.
IAzTask Describes a set of operations.
IAzTask2 Extends the IAzTask interface with a method that returns

the role assignments associated with the task.
IAzTasks Represents a collection of IAzTask objects.

IeAxiSer vice Initializes a system service object to install an ActiveX object

when the current user does not have permission to install
the object.
IeAxiSer viceCallback Called by the IeAxiSystemInstaller interface to verify that

an ActiveX object can be installed.
IeAxiSystemInstaller Installs an ActiveX object.
IEffectivePermission Provides a means to determine effective permission for a

security principal on an object.
IEffectivePermission2 Provides a way to determine effective permission for a

security principal on an object.
ISecurityInformation Enables the access control editor to communicate with the

caller of the CreateSecurityPage and EditSecurity
functions.
ISecurityInformation2 Enables the access control editor to obtain information from

the client that is not provided by the ISecurityInformation
interface.
ISecurityInformation3 Provides methods necessary for displaying an elevated

access control editor when a user clicks the Edit button on
an access control editor page that displays an image of a
shield on that Edit button.
ISecurityInformation4 Enables the access control editor (ACE) to obtain the share's
security descriptor to initialize the share page.
ISecurityObjectTypeInfo Provides a means of determining the source of inherited

access control entries (ACEs) in discretionary access control
lists (DACLs) and system access control lists (SACLs).
Authorization interfaces are categorized according to usage as follows:

Access Control Editor Interfaces
ActiveX Installer Interfaces
Authorization Manager Interfaces
Access Control Editor Interfaces

The following interfaces are used with the access control editor.
IEffectivePermission
ISecurityInformation
ISecurityObjectTypeInfo
ActiveX Installer Interfaces

ActiveX Installer provides the following interfaces.
IeAxiSer vice
IeAxiSer viceCallback
Authorization Manager Interfaces

Authorization Manager provides the following interfaces.
IAzApplication
IAzApplication2
IAzApplication3
IAzApplications
IAzApplicationGroup
IAzApplicationGroup2
IAzApplicationGroups
IAzAuthorizationStore
IAzBizRuleContext
IAzBizRuleInterfaces
IAzBizRuleParameters
IAzClientContext
IAzClientContext2
IAzClientContext3
IAzNameResolver
IAzObjectPicker
IAzOperation
IAzOperation2
IAzOperations
IAzPrincipalLocator
IAzRole
IAzRoleAssignment
IAzRoleAssignments
IAzRoleDefinition
IAzRoleDefinitions
IAzRoles
IAzScope
IAzScope2
IAzScopes
IAzTask
IAzTask2
IAzTasks
IAzApplication Methods
The IAzApplication interface exposes the following methods.
In this section
AddProper tyItem Method
CreateOperation Method
CreateRole Method
CreateScope Method
CreateTask Method
DeleteProper tyItem Method
DeleteRole Method
DeleteScope Method
DeleteTask Method
GetProper ty Method
InitializeClientContextFromName Method
InitializeClientContextFromStringSid Method
InitializeClientContextFromToken Method
OpenOperation Method
OpenRole Method
OpenScope Method
OpenTask Method
SetProper ty Method
Submit Method
IAzApplication Properties
The IAzApplication interface exposes the following properties.
In this section
ApplicationData Proper ty
ApplicationGroups Proper ty
ApplyStoreSacl Proper ty
AuthzInterfaceClsid Proper ty
DelegatedPolicyUsers Proper ty
DelegatedPolicyUsersName Proper ty
Description Proper ty
GenerateAudits Proper ty
Name Proper ty
Operations Proper ty
PolicyAdministrators Proper ty
PolicyAdministratorsName Proper ty
PolicyReaders Proper ty
PolicyReadersName Proper ty
Roles Proper ty
Scopes Proper ty
Tasks Proper ty
Version Proper ty
Writable Proper ty
The IAzApplication2 interface exposes the following methods.
In this section
InitializeClientContext2 Method
InitializeClientContextFromToken2 Method
The IAzApplication3 interface exposes the following methods.
In this section
CreateScope2 Method
DeleteScope2 Method
OpenScope2 Method
ScopeExists Method
IAzApplication3 Properties
The IAzApplication3 interface exposes the following properties.
In this section
BizRulesEnabled Proper ty
RoleAssignments Proper ty
RoleDefinitions Proper ty
IAzApplications Properties
The IAzApplications interface exposes the following properties.
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzApplicationGroup Methods
The IAzApplicationGroup interface exposes the following methods.
In this section
AddAppMember Method
AddAppNonMember Method
AddMember Method
AddNonMember Method
AddNonMemberName Method
DeleteAppNonMember Method
DeleteMember Method
DeleteNonMember Method
DeleteNonMemberName Method
GetProper ty Method
SetProper ty Method
Submit Method
IAzApplicationGroup Properties
The IAzApplicationGroup interface exposes the following properties.
In this section
AppMembers Proper ty
AppNonMembers Proper ty
LdapQuer y Proper ty
Members Proper ty
MembersName Proper ty
Name Proper ty
NonMembers Proper ty
NonMembersName Proper ty
Type Proper ty
Writable Proper ty
IAzApplicationGroup2 Properties
The IAzApplicationGroup2 interface exposes the following properties.
In this section
BizRule Proper ty
BizRuleImpor tedPath Proper ty
BizRuleLanguage Proper ty
IAzApplicationGroups Properties
The IAzApplicationGroups interface exposes the following properties.
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzAuthorizationStore Methods
The IAzAuthorizationStore interface exposes the following methods.
In this section
CloseApplication Method
CreateApplication Method
Delete Method
DeleteApplication Method
GetProper ty Method
Initialize Method
OpenApplication Method
SetProper ty Method
Submit Method
UpdateCache Method
IAzAuthorizationStore Properties
The IAzAuthorizationStore interface exposes the following properties.
In this section
Applications Proper ty
ApplyStoreSacl Proper ty
DelegatedPolicyUsers Proper ty
DelegatedPolicyUsersName Proper ty
DomainTimeout Proper ty
GenerateAudits Proper ty
MaxScriptEngines Proper ty
ScriptEngineTimeout Proper ty
TargetMachine Proper ty
Writable Proper ty
The IAzAuthorizationStore2 interface exposes the following methods.
In this section
CreateApplication2 Method
OpenApplication2 Method
The IAzAuthorizationStore3 interface exposes the following methods.
In this section
BizruleGroupSuppor ted Method
GetSchemaVersion Method
IsFunctionalLevelUpgradeSuppor ted Method
IsUpdateNeeded Method
UpgradeStoresFunctionalLevel Method
IAzBizRuleContext Properties
The IAzBizRuleContext interface exposes the following properties.
In this section
BusinessRuleResult Proper ty
BusinessRuleString Proper ty
GetParameter Method
IAzBizRuleInterfaces Methods
The IAzBizRuleInterfaces interface exposes the following methods.
In this section
AddInterface Method
AddInterfaces Method
GetInterfaceValue Method
Remove Method
RemoveAll Method
IAzBizRuleInterfaces Properties
The IAzBizRuleInterfaces interface exposes the following properties.
In this section
Count Proper ty
IAzBizRuleParameters Methods
The IAzBizRuleParameters interface exposes the following methods.
In this section
AddParameter Method
AddParameters Method
GetParameterValue Method
Remove Method
RemoveAll Method
IAzBizRuleParameters Properties
The IAzBizRuleParameters interface exposes the following properties.
In this section
Count Proper ty
IAzClientContext Methods
The IAzClientContext interface exposes the following methods.
In this section
AccessCheck Method
GetBusinessRuleString Method
GetProper ty Method
GetRoles Method
IAzClientContext Properties
The IAzClientContext interface exposes the following properties.
In this section
RoleForAccessCheck Proper ty
UserCanonical Proper ty
UserDisplay Proper ty
UserDn Proper ty
UserDnsSamCompat Proper ty
UserGuid Proper ty
UserSamCompat Proper ty
UserUpn Proper ty
The IAzClientContext2 interface exposes the following methods.
In this section
AddApplicationGroups Method
AddRoles Method
AddStringSids Method
GetAssignedScopesPage Method
The IAzClientContext2 interface exposes the following properties.
In this section
LDAPQuer yDN Proper ty
The IAzClientContext3 interface exposes the following methods.
In this section
AccessCheck2 Method
GetGroups Method
GetOperations Method
GetTasks Method
IsInRoleAssignment Method
The IAzClientContext3 interface exposes the following properties.
In this section
BizRuleInterfaces Proper ty
BizRuleParameters Proper ty
Sids Proper ty
IAzNameResolver Methods
The IAzNameResolver interface exposes the following methods.
In this section
NameFromSid Method
NamesFromSids Method
IAzObjectPicker Methods
The IAzObjectPicker interface exposes the following methods.
In this section
GetPrincipals Method
Name Proper ty
IAzOperation Methods
The IAzOperation interface exposes the following methods.
In this section
GetProper ty Method
SetProper ty Method
Submit Method
IAzOperation Properties
The IAzOperation interface exposes the following properties.
In this section
Name Proper ty
OperationID Proper ty
Writable Proper ty
IAzOperation2 Methods
The IAzOperation2 interface exposes the following methods.
In this section
IAzOperations Properties
The IAzOperations interface exposes the following properties.
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzPrincipalLocator Properties
The IAzPrincipalLocator interface exposes the following properties.
In this section
NameResolver Proper ty
ObjectPicker Proper ty
IAzRole Methods
The IAzRole interface exposes the following methods.
In this section
AddAppMember Method
AddMember Method
AddOperation Method
AddTask Method
DeleteMember Method
DeleteTask Method
GetProper ty Method
SetProper ty Method
Submit Method
IAzRole Properties
The IAzRole interface exposes the following properties.
In this section
AppMembers Proper ty
Members Proper ty
MembersName Proper ty
Name Proper ty
Tasks Proper ty
Writable Proper ty
IAzRoleAssignment Methods
The IAzRoleAssignment interface exposes the following methods.
In this section
IAzRoleAssignment Properties
The IAzRoleAssignment interface exposes the following properties.
In this section
Scope Proper ty
IAzRoleAssignments Properties
The IAzRoleAssignments interface exposes the following properties.
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzRoleDefinition Methods
The IAzRoleDefinition interface exposes the following methods.
In this section
IAzRoleDefinition Properties
The IAzRoleDefinition interface exposes the following properties.
In this section
IAzRoleDefinitions Properties
The IAzRoleDefinitions interface exposes the following properties.
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzRoles Properties
The IAzRoles interface exposes the following properties.
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IAzScope Methods
The IAzScope interface exposes the following methods.
In this section
CreateRole Method
CreateTask Method
DeleteRole Method
DeleteTask Method
GetProper ty Method
OpenRole Method
OpenTask Method
SetProper ty Method
Submit Method
IAzScope Properties
The IAzScope interface exposes the following properties.
In this section
BizrulesWritable Proper ty
CanBeDelegated Proper ty
Name Proper ty
Roles Proper ty
Tasks Proper ty
Writable Proper ty
IAzScope2 Methods
The IAzScope2 interface exposes the following methods.
In this section
IAzScope2 Properties
The IAzScope2 interface exposes the following properties.
In this section
IAzScopes Properties
The IAzScopes interface exposes the following properties.
In this section
Count Proper ty
Item Proper ty
NewEnum Proper ty
IAzTask Methods
The IAzTask interface exposes the following methods.
In this section
AddOperation Method
AddTask Method
DeleteTask Method
GetProper ty Method
SetProper ty Method
Submit Method
IAzTask Properties
The IAzTask interface exposes the following properties.
In this section
BizRule Proper ty
BizRuleImpor tedPath Proper ty
BizRuleLanguage Proper ty
IsRoleDefinition Proper ty
Name Proper ty
Tasks Proper ty
Writable Proper ty
IAzTask2 Methods
The IAzTask2 interface exposes the following methods.
In this section
IAzTasks Properties
The IAzTasks interface exposes the following properties.
In this section
Count Proper ty
Item Proper ty
_NewEnum Proper ty
IeAxiService interface
The IAxiSer vice interface initializes a system service object to install an ActiveX object when the current user
does not have permission to install the object.
The CIeAxiInstallerSer vice class implements this interface.
This interface is not declared in a public header. Applications must define it themselves. The following Interface
Definition Language (IDL) fragment describes this interface, including its IID.
[
object,
uuid(E9E92380-9ECD-4982-A0EB-6815A56CCF27),
pointer_default(unique)
]
interface IeAxiService : IUnknown{
HRESULT Initialize(
[in] HWND hwndParent,
[in] DWORD dwClientPID,
[in] BSTR bstrDesktop,
[in] BSTR bstrClsID,
[in] BSTR bstrURL,
[out] BSTR * pbstrNonce,
[out] IUnknown** ppISyncBrokerInterface
);
HRESULT Cleanup();
};
Members
The IeAxiSer vice interface inherits from the IUnknown interface. IeAxiSer vice also has these types of
members:
Methods
Methods
The IeAxiSer vice interface has these methods.
M ET H O D DESC RIP T IO N
Cleanup Frees resources used by the IeAxiSer vice interface.
Initialize Checks and downloads an ActiveX object.
Requirements
Minimum supported client Windows Vista Business, Windows Vista Enterprise, Windows
Vista Ultimate [desktop apps only]
Minimum supported server None supported
IID IID_IeAxiService is defined as E9E92380-9ECD-4982-A0EB-

6815A56CCF27
IeAxiService Methods
The IeAxiSer vice interface exposes the following methods.
In this section
Cleanup Method
Initialize Method
IeAxiService::Cleanup method
The Cleanup method frees resources used by the IeAxiSer vice interface.
Syntax
HRESULT Cleanup();
Parameters
This method has no parameters.
Return value
If the method succeeds, the method returns S_OK.
If the method fails, it returns an HRESULT value that indicates the error. For a list of common error codes, see
Common HRESULT Values.
Requirements

6815A56CCF27
See also
IeAxiSer vice
IeAxiService::Initialize method
The Initialize method checks and downloads an ActiveX object. If the object meets policy requirements, this
method initializes a system object that installs the ActiveX object.
Syntax
SECURITY_STATUS Initialize(
[in] HWND hwndParent,
[in] BSTR bstrDesktop,
[in] BSTR bstrClsID,
[in] BSTR bstrURL,
[out] BSTR *pbstrNonce,
[out] IUnknown **ppISyncBrokerInterface
);
Parameters
hwndParent [in]
A handle to the parent window of the window that is attempting to install the ActiveX control.
dwClientPID [in]
The process ID of the calling process.
bstrDesktop [in]
The desktop for the object.
bstrClsID [in]
The class ID of the ActiveX object to install.
bstrURL [in]
The URL of the ActiveX object to install.
pbstrNonce [out]
A context that can be used to share state information in calls to other methods used to verify and download the
ActiveX object.
ppISyncBrokerInterface [out]
A pointer to the instance of the IeAxiSystemInstaller interface that installs the ActiveX control.
Return value
If the function succeeds, the return value is S_OK.
If the function fails, the return value can be one of the following error codes.
RET URN C O DE/ VA L UE DESC RIP T IO N
The ActiveX object should not be installed.

TRUST_E_SUBJECT_NOT_TRUSTED
0x800B0004
Requirements

6815A56CCF27
See also
IeAxiSer vice
IeAxiServiceCallback interface
The IeAxiSer viceCallback interface is called by the IeAxiSystemInstaller interface to verify that an ActiveX
object can be installed.
The CIeAxiInstallerSer vice class implements this interface.
[
object,
uuid(1823E7BA-EC36-447a-9B2E-B4912E15AFE7),
dual,
nonextensible,
pointer_default(unique)
]
interface IeAxiServiceCallback : IUnknown

{
HRESULT VerifyFile(
[in] BSTR bstrFileUrl,
[out] BSTR * bstrApprovedFileName);
}
Members
The IeAxiSer viceCallback interface inherits from the IUnknown interface. IeAxiSer viceCallback also has
these types of members:
Methods
Methods
The IeAxiSer viceCallback interface has these methods.
VerifyFile Performs security checks on the specified ActiveX object and

returns the location where the corresponding .cab file was
downloaded.
Requirements

IID IID_IeAxiServiceCallback is defined as 1823E7BA-EC36-

447a-9B2E-B4912E15AFE7
IeAxiServiceCallback Methods
The IeAxiSer viceCallback interface exposes the following methods.
In this section
VerifyFile Method
IeAxiServiceCallback::VerifyFile method
The VerifyFile method performs security checks on the specified ActiveX object and returns the location where
the corresponding .cab file was downloaded.
Syntax
HRESULT VerifyFile(
[in] BSTR bstrFileUrl,
[out] BSTR *bstrApprovedFileName
);
Parameters
bstrFileUrl [in]
The URL of the ActiveX object to check.
bstrApprovedFileName [out]
The name of the file where the .cab file associated with the ActiveX object was downloaded.
Return value
Requirements
IID IID_IeAxiServiceCallback is defined as 1823E7BA-EC36-

447a-9B2E-B4912E15AFE7
See also
IeAxiSystemInstaller interface
The IeAxiSystemInstaller interface installs an ActiveX object.

[
object,
uuid(a50ea6f8-4764-4299-b309-022b2a8b4d8d),
]
interface IeAxiSystemInstaller : IUnknown
{
HRESULT InitializeSystemInstaller( [in] BSTR bstrUrl,

[in] IUnknown* pCallback,
[out] BSTR * pbstrNonce);
}
Members
The IeAxiSystemInstaller interface inherits from the IUnknown interface. IeAxiSystemInstaller also has
these types of members:
Methods
Methods
The IeAxiSystemInstaller interface has these methods.
InitializeSystemInstaller Installs the specified ActiveX object.
Requirements
IID IID_IeAxiSystemInstaller is defined as a50ea6f8-4764-4299-

b309-022b2a8b4d8d
IeAxiSystemInstaller Methods
The IeAxiSystemInstaller interface exposes the following methods.
In this section
InitializeSystemInstaller Method
IeAxiSystemInstaller::InitializeSystemInstaller
method
The InitializeSystemInstaller method installs the specified ActiveX object.
Syntax
HRESULT InitializeSystemInstaller(
[in] BSTR bstrUrl,
[in] IUnknown *pCallback,
[out] BSTR *pbstrNonce
);
Parameters
bstrUrl [in]
The URL of the ActiveX object to install.
dwClientPID [in]
The process ID of the calling process.
pCallback [in]
A pointer to an instance of the IeAxiSer viceCallback interface that verifies whether the ActiveX object is
allowed to be installed.
pbstrNonce [out]
A context that can be used to share state information in calls to other methods used to verify and download the
ActiveX object.
Return value
Requirements

IID IID_IeAxiSystemInstaller is defined as a50ea6f8-4764-4299-

b309-022b2a8b4d8d
See also
IEffectivePermission Methods
The IEffectivePermission interface exposes the following methods.
In this section
GetEffectivePermission Method
ISecurityInformation Methods
The ISecurityInformation interface exposes the following methods.
In this section
GetAccessRights Method
GetInheritTypes Method
GetObjectInformation Method
GetSecurity Method
MapGeneric Method
Proper tySheetPageCallback Method
SetSecurity Method
The ISecurityInformation2 interface exposes the following methods.
In this section
IsDaclCanonical Method
LookupSids Method
The ISecurityInformation3 interface exposes the following methods.
In this section
GetFullResourceName Method
OpenElevatedEditor Method
ISecurityObjectTypeInfo Methods
The ISecurityObjectTypeInfo interface exposes the following methods.
In this section
GetInheritSource Method
The following objects are used with authorization applications.

ActiveX Installer provides the following object.
In this section
CIeAxiInstallerSer vice Implements the IAxiSer vice and IeAxiSer viceCallback

interfaces.
Authorization Manager provides the following objects.
O B JEC T DESC RIP T IO N
AzAuthorizationStore Defines the container that is the root of the authorization

policy store.
AzBizRuleContext Contains information about a Business Rule (BizRule)

operation.
CIeAxiInstallerService object
The CIeAxiInstallerSer vice object implements the IAxiSer vice and IeAxiSer viceCallback interfaces.
This object is not declared in a public header. Applications must define it themselves. The following Interface
Definition Language (IDL) fragment describes this object, including its CLSID.
[
uuid(90F18417-F0F1-484E-9D3C-59DCEEE5DBD8)
]
coclass CIeAxiInstallerService
{
[default] interface IeAxiService;
interface IeAxiServiceCallback;
}
Requirements
See also
IAxiSer vice
Authorization Structures
The following structures are used with authorization applications.
In this section
ACCESS_ALLOWED_ACE Defines an access control entry (ACE) for the discretionary

access control list (DACL) that controls access to an object.
An access-allowed ACE allows access to an object for a
specific trustee identified by a security identifier (SID).
ACCESS_ALLOWED_CALLBACK_ACE The ACCESS_ALLOWED_CALLBACK_ACE structure

defines an access control entry for the discretionary access
control list that controls access to an object.
ACCESS_ALLOWED_CALLBACK_OBJECT_ACE Defines an access control entry (ACE) that controls allowed

access to an object, property set, or property.
ACCESS_ALLOWED_OBJECT_ACE Defines an access control entry (ACE) that controls allowed

access to an object, a property set, or property.
ACCESS_DENIED_ACE Defines an access control entry (ACE) for the discretionary

access control list (DACL) that controls access to an object.
An access-denied ACE denies access to an object for a
specific trustee identified by a security identifier (SID).
ACCESS_DENIED_CALLBACK_ACE The ACCESS_DENIED_CALLBACK_ACE structure defines

an access control entry for the discretionary access control
list that controls access to an object.
ACCESS_DENIED_CALLBACK_OBJECT_ACE The ACCESS_DENIED_CALLBACK_OBJECT_ACE

structure defines an access control entry that controls
denied access to an object, a property set, or property.
ACCESS_DENIED_OBJECT_ACE Defines an access control entry (ACE) that controls denied

access to an object, a property set, or property.
ACE Lists the currently defined ACE types.
ACE_HEADER Defines the type and size of an access control entry (ACE).
ACL Header of an access control list (ACL).
ACL_REVISION_INFORMATION Contains revision information about an ACL structure.
ACL_SIZE_INFORMATION Contains information about the size of an ACL structure.
AUDIT_POLICY_INFORMATION Specifies a security event type and when to audit that type.
AUTHZ_ACCESS_REPLY Defines an access check reply.
AUTHZ_ACCESS_REQUEST Defines an access check request.
AUTHZ_INIT_INFO Defines the initialization information for the resource

manager.
AUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET Specifies the offset of a registration object type name.
AUTHZ_RPC_INIT_INFO_CLIENT initializes a remote resource manager for a client.
AUTHZ_SECURITY_ATTRIBUTE_FQBN_VALUE Specifies a fully qualified binary name value associated with a

security attribute.
AUTHZ_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE Specifies an octet string value for a security attribute.
AUTHZ_SECURITY_ATTRIBUTE_V1 Defines a security attribute that can be associated with an

authorization context.
AUTHZ_SECURITY_ATTRIBUTES_INFORMATION Specifies one or more security attributes and values.
AUTHZ_SOURCE_SCHEMA_REGISTRATION Specifies information about source schema registration.
CL AIM_SECURITY_ATTRIBUTE_FQBN_VALUE Specifies the fully qualified binary name.
CL AIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE Specifies the OCTET_STRING value type of the claim

security attribute.
CL AIM_SECURITY_ATTRIBUTE_REL ATIVE_V1 Defines a resource attribute that is defined in continuous

memory for persistence within a serialized security
descriptor.
CL AIM_SECURITY_ATTRIBUTE_V1 Defines a security attribute that can be associated with a

token or authorization context.
CL AIM_SECURITY_ATTRIBUTES_INFORMATION Defines the security attributes for the claim.
EFFPERM_RESULT_LIST Lists the effective permissions.
EXPLICIT_ACCESS Defines access control information for a specified trustee.
GENERIC_MAPPING Defines the mapping of generic access rights to specific and

standard access rights for an object.
INHERITED_FROM Provides information about an object's inherited access

control entry (ACE).
LUID 64-bit value guaranteed to be unique only on the system on

which it was generated.
LUID_AND_ATTRIBUTES Represents a locally unique identifier (LUID) and its

attributes.
OBJECT_TYPE_LIST Identifies an object type element in a hierarchy of object

types.
OBJECTS_AND_NAME Contains a string that identifies a trustee by name and

additional strings that identify the object types of an object-
specific access control entry (ACE).
OBJECTS_AND_SID Contains a security identifier (SID) that identifies a trustee

and GUIDs that identify the object types of an object-specific
access control entry (ACE).
POLICY_AUDIT_SID_ARRAY Specifies an array of SID structures that represent Windows

users or groups.
PRIVILEGE_SET Specifies a set of privileges.
SECURITY_ATTRIBUTES The SECURITY_ATTRIBUTES security structure contains the

security descriptor for an object and specifies whether the
handle retrieved by specifying this structure is inheritable.
SECURITY_CAPABILITIES Defines the security capabilities of the app container.
SECURITY_DESCRIPTOR Contains the security information associated with an object.
SECURITY_OBJECT Contains the security object information.
SECURITY_QUALITY_OF_SERVICE Contains information used to support client impersonation.
SI_ACCESS Contains information about an access right or default access

mask for a securable object.
SI_INHERIT_TYPE Contains information about how access control entries

(ACEs) can be inherited by child objects.
SI_OBJECT_INFO Used to initialize the access control editor.
SID Used to uniquely identify users or groups.
SID_AND_ATTRIBUTES Represents a security identifier (SID) and its attributes.
SID_AND_ATTRIBUTES_HASH Specifies a hash values for the specified array of security

identifiers (SIDs)
SID_IDENTIFIER_AUTHORITY Represents the top-level authority of a security identifier

(SID).
SID_INFO Contains the list of common names corresponding to the

SID structures returned by
ISecurityInformation2::LookupSids .
SID_INFO_LIST Contains a list of SID_INFO structures.

SYSTEM_AL ARM_ACE The SYSTEM_AL ARM_ACE structure is reserved for future

use.
SYSTEM_AL ARM_CALLBACK_ACE The SYSTEM_AL ARM_CALLBACK_ACE structure is

reserved for future use.
SYSTEM_AL ARM_CALLBACK_OBJECT_ACE The SYSTEM_AL ARM_CALLBACK_OBJECT_ACE

structure is reserved for future use.
SYSTEM_AL ARM_OBJECT_ACE The SYSTEM_AL ARM_OBJECT_ACE structure is reserved

for future use.
SYSTEM_AUDIT_ACE Defines an access control entry (ACE) for the system access
control list (SACL) that specifies what types of access cause
system-level notifications.
SYSTEM_AUDIT_CALLBACK_ACE The SYSTEM_AUDIT_CALLBACK_ACE structure defines an

access control entry for the system access control list that
specifies what types of access cause system-level
notifications.
SYSTEM_AUDIT_CALLBACK_OBJECT_ACE The SYSTEM_AUDIT_CALLBACK_OBJECT_ACE structure

defines an access control entry for a system access control
list.
SYSTEM_AUDIT_OBJECT_ACE Defines an access control entry (ACE) for a system access

control list (SACL).
SYSTEM_MANDATORY_L ABEL_ACE Defines an access control entry (ACE) for the system access
control list (SACL) that specifies the mandatory access level
and policy for a securable object.
SYSTEM_RESOURCE_ATTRIBUTE_ACE Defines an access control entry (ACE) for the system access
control list (SACL) that specifies the system resource
attributes for a securable object.
SYSTEM_SCOPED_POLICY_ID_ACE Defines an access control entry (ACE) for the system access
control list (SACL) that specifies the scoped policy identifier
for a securable object.
TOKEN_ACCESS_INFORMATION Specifies all the information in a token that is necessary to

perform an access check.
TOKEN_APPCONTAINER_INFORMATION Specifies all the information in a token that is necessary for

an app container.
TOKEN_AUDIT_POLICY Specifies the per user audit policy for a token.
TOKEN_CONTROL Contains information that identifies an access token.
TOKEN_DEFAULT_DACL Specifies a discretionary access control list (DACL).
TOKEN_DEVICE_CL AIMS Defines the device claims for the token.

TOKEN_ELEVATION Indicates whether a token has elevated privileges.
TOKEN_GROUPS Contains information about the group security identifiers

(SIDs) in an access token.
TOKEN_GROUPS_AND_PRIVILEGES Contains information about the group security identifiers

(SIDs) and privileges in an access token.
TOKEN_LINKED_TOKEN Contains a handle to a token. This token is linked to the

token being queried by the GetTokenInformation function
or set by the SetTokenInformation function.
TOKEN_MANDATORY_L ABEL Specifies the mandatory integrity level for a token.
TOKEN_MANDATORY_POLICY Specifies the mandatory integrity policy for a token.
TOKEN_ORIGIN Contains information about the origin of the logon session.
TOKEN_OWNER Contains the default owner security identifier (SID) that will
be applied to newly created objects.
TOKEN_PRIMARY_GROUP Specifies a group security identifier (SID) for an access token.
TOKEN_PRIVILEGES Contains information about a set of privileges for an access

token.
TOKEN_SOURCE Identifies the source of an access token.
TOKEN_STATISTICS Contains information about an access token.
TOKEN_USER Identifies the user associated with an access token.
TOKEN_USER_CL AIMS Defines the user claims for the token.
TRUSTEE Identifies the user account, group account, or logon session

to which an access control entry (ACE) applies.
Authorization structures are categorized according to usage as follows:

Access Control Editor Structures
Client/Server Access Control Structures

The following structures are used with access control.
ACCESS_ALLOWED_ACE
ACCESS_ALLOWED_CALLBACK_ACE
ACCESS_ALLOWED_CALLBACK_OBJECT_ACE
ACCESS_ALLOWED_OBJECT_ACE
ACCESS_DENIED_ACE
ACCESS_DENIED_CALLBACK_ACE
ACCESS_DENIED_CALLBACK_OBJECT_ACE
ACCESS_DENIED_OBJECT_ACE
ACE
ACE_HEADER
ACL
ACL_REVISION_INFORMATION
ACL_SIZE_INFORMATION
EXPLICIT_ACCESS
LUID
LUID_AND_ATTRIBUTES
OBJECTS_AND_NAME
OBJECTS_AND_SID
SECURITY_ATTRIBUTES
SECURITY_DESCRIPTOR
SID
SID_AND_ATTRIBUTES
SID_IDENTIFIER_AUTHORITY
SYSTEM_AL ARM_ACE
SYSTEM_AL ARM_CALLBACK_ACE
SYSTEM_AL ARM_CALLBACK_OBJECT_ACE
SYSTEM_AL ARM_OBJECT_ACE
SYSTEM_AUDIT_ACE
SYSTEM_AUDIT_CALLBACK_ACE
SYSTEM_AUDIT_CALLBACK_OBJECT_ACE
SYSTEM_AUDIT_OBJECT_ACE
SYSTEM_MANDATORY_L ABEL_ACE
TOKEN_CONTROL
TOKEN_DEFAULT_DACL
TOKEN_GROUPS
TOKEN_GROUPS_AND_PRIVILEGES
TOKEN_ORIGIN
TOKEN_OWNER
TOKEN_PRIMARY_GROUP
TOKEN_PRIVILEGES
TOKEN_SOURCE
TOKEN_STATISTICS
TOKEN_USER
TRUSTEE
Access Control Editor Structures

The following structures are used with the access control editor.
INHERITED_FROM
SI_ACCESS
SI_INHERIT_TYPE
SI_OBJECT_INFO
SID_INFO
SID_INFO_LIST
Client/Server Access Control Structures

The following structures implement client/server access control functionality.
AUTHZ_ACCESS_REPLY
AUTHZ_REGISTRATION_OBJECT_TYPE_NAME_OFFSET
AUTHZ_SOURCE_SCHEMA_REGISTRATION
GENERIC_MAPPING
OBJECT_TYPE_LIST
PRIVILEGE_SET
SECURITY_QUALITY_OF_SERVICE
ACE
An ACE is an access control entry in an access control list (ACL).

The following table lists the currently defined ACE types.
ACE TYPE ST RUC T URE ACL TYPE
Access allowed ACCESS_ALLOWED_ACE Discretionary
Access allowed ACCESS_ALLOWED_CALLBACK_AC Discretionary

Allows callback during access E
check
Access allowed ACCESS_ALLOWED_OBJECT_ACE Discretionary

Object specific
Access allowed ACCESS_ALLOWED_CALLBACK_OB Discretionary

Object specific JECT_ACE
Allows callback during access
check
Access denied ACCESS_DENIED_ACE Discretionary
Access denied ACCESS_DENIED_CALLBACK_ACE Discretionary

check
Access denied ACCESS_DENIED_CALLBACK_OBJE Discretionary

Object specific CT_ACE
check
Access denied ACCESS_DENIED_OBJECT_ACE Discretionary

Object specific
System alarm SYSTEM_AL ARM_ACE System
System alarm SYSTEM_AL ARM_CALLBACK_ACE System

check
ACE TYPE ST RUC T URE ACL TYPE
System alarm SYSTEM_AL ARM_CALLBACK_OBJE System

check
System alarm SYSTEM_AL ARM_OBJECT_ACE System

Object specific
System audit SYSTEM_AUDIT_ACE System
System audit SYSTEM_AUDIT_CALLBACK_ACE System

check
System audit SYSTEM_AUDIT_CALLBACK_OBJE System

check
System audit SYSTEM_AUDIT_OBJECT_ACE System

Object specific
System-alarm and object-specific system-alarm ACEs are not currently supported.
NOTE
Each ACE starts with an ACE_HEADER structure. The format of the data following the header varies according to the
ACE type specified in the header.
Requirements
Header
See also
AddAce
ACCESS_ALLOWED_ACE
ACCESS_DENIED_ACE
ACL
SYSTEM_AL ARM_ACE
SYSTEM_AUDIT_ACE
Microsoft.Interop.Security.AzRoles Assembly
The following Authorization interoperability wrapper methods and objects are documented under the COM
version of the method or object. A link to the correlating COM documentation follows each member name.
Microsoft.Interop.Security.AzRoles Assembly Members

Microsoft.Interop.Security.AzRoles.IAzApplication Interface
Microsoft.Interop.Security.AzRoles.IAzApplication2 Interface
Microsoft.Interop.Security.AzRoles.IAzApplication3 Interface
Microsoft.Interop.Security.AzRoles.IAzApplicationGroup Interface
Microsoft.Interop.Security.AzRoles.IAzApplicationGroup2 Interface
Microsoft.Interop.Security.AzRoles.IAzApplicationGroups Interface
Microsoft.Interop.Security.AzRoles.IAzApplications Interface
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore Interface
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2 Interface
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore3 Interface
Microsoft.Interop.Security.AzRoles.IAzBizRuleContext Interface
Microsoft.Interop.Security.AzRoles.IAzBizRuleInterfaces Interface
Microsoft.Interop.Security.AzRoles.IAzBizRuleParameters Interface
Microsoft.Interop.Security.AzRoles.IAzClientContext Interface
Microsoft.Interop.Security.AzRoles.IAzClientContext2 Interface
Microsoft.Interop.Security.AzRoles.IAzClientContext3 Interface
Microsoft.Interop.Security.AzRoles.IAzNameResolver Interface
Microsoft.Interop.Security.AzRoles.IAzObjectPicker Interface
Microsoft.Interop.Security.AzRoles.IAzOperation Interface
Microsoft.Interop.Security.AzRoles.IAzOperation2 Interface
Microsoft.Interop.Security.AzRoles.IAzOperations Interface
Microsoft.Interop.Security.AzRoles.IAzPrincipalLocator Interface
Microsoft.Interop.Security.AzRoles.IAzRole Interface
Microsoft.Interop.Security.AzRoles.IAzRoleAssignment Interface
Microsoft.Interop.Security.AzRoles.IAzRoleAssignments Interface
Microsoft.Interop.Security.AzRoles.IAzRoleDefinition Interface
Microsoft.Interop.Security.AzRoles.IAzRoleDefinitions Interface
Microsoft.Interop.Security.AzRoles.IAzRoles Interface
Microsoft.Interop.Security.AzRoles.IAzScope Interface
Microsoft.Interop.Security.AzRoles.IAzScope2 Interface
Microsoft.Interop.Security.AzRoles.IAzScopes Interface
Microsoft.Interop.Security.AzRoles.IAzTask Interface
Microsoft.Interop.Security.AzRoles.IAzTask2 Interface
Microsoft.Interop.Security.AzRoles.IAzTasks Interface
Microsoft.Interop.Security.AzRoles.tagAZ_PROP_CONSTANTS Enumeration
Microsoft.Interop.Security.AzRoles.IAzApplication
interface
The Microsoft.Interop.Security.Azroles.IAzApplication interoperability wrapper methods and properties

are documented under the COM version of the method or property. A link to the correlating COM
documentation follows each member name.
Members
The Microsoft.Interop.Security.AzRoles.IAzApplication interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplication interface has these methods.
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddDelegatedPolicyUser
dDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddDelegatedPolicyUserName
dDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddPolicyAdministrator
dPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddPolicyAdministratorName
dPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddPolicyReader
dPolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddPolicyReaderName
dPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication.Ad IAzApplication::AddProper tyItem

dProper tyItem
Microsoft.Interop.Security.Azroles.IAzApplication.Cre IAzApplication::CreateApplicationGroup
ateApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication.Cre IAzApplication::CreateOperation
ateOperation
Microsoft.Interop.Security.Azroles.IAzApplication.Cre IAzApplication::CreateRole
ateRole
Microsoft.Interop.Security.Azroles.IAzApplication.Cre IAzApplication::CreateScope
ateScope
Microsoft.Interop.Security.Azroles.IAzApplication.Cre IAzApplication::CreateTask
ateTask
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteApplicationGroup
eteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteDelegatedPolicyUser
eteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteDelegatedPolicyUserName
eteDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteOperation
eteOperation
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeletePolicyAdministrator
etePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeletePolicyAdministratorName
etePolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeletePolicyReader
etePolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeletePolicyReaderName
etePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteProper tyItem

eteProper tyItem
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteRole
eteRole
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteScope
eteScope
Microsoft.Interop.Security.Azroles.IAzApplication.Del IAzApplication::DeleteTask
eteTask
Microsoft.Interop.Security.Azroles.IAzApplication.Get IAzApplication::GetProper ty
Proper ty
Microsoft.Interop.Security.Azroles.IAzApplication.Init IAzApplication::InitializeClientContextFromName
ializeClientContextFromName
Microsoft.Interop.Security.Azroles.IAzApplication.Init IAzApplication::InitializeClientContextFromStringSid
ializeClientContextFromStringSid
Microsoft.Interop.Security.Azroles.IAzApplication.Init IAzApplication::InitializeClientContextFromToken
ializeClientContextFromToken
Microsoft.Interop.Security.Azroles.IAzApplication.Op IAzApplication::OpenApplicationGroup
enApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication.Op IAzApplication::OpenOperation
enOperation
Microsoft.Interop.Security.Azroles.IAzApplication.Op IAzApplication::OpenRole
enRole
Microsoft.Interop.Security.Azroles.IAzApplication.Op IAzApplication::OpenScope
enScope
Microsoft.Interop.Security.Azroles.IAzApplication.Op IAzApplication::OpenTask
enTask
Microsoft.Interop.Security.Azroles.IAzApplication.Set IAzApplication::SetProper ty
Proper ty
Microsoft.Interop.Security.Azroles.IAzApplication.Sub IAzApplication::Submit
mit
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplication interface has these properties.
P RO P ERT Y A C C ESS T Y P E DESC RIP T IO N
Microsoft.Interop.Security.Azroles Read/write ApplicationData Proper ty of

.IAzApplication.ApplicationData IAzApplication
Microsoft.Interop.Security.Azroles Read-only ApplicationGroups Proper ty of

.IAzApplication.ApplicationGroup IAzApplication
s
Microsoft.Interop.Security.Azroles Read/write ApplyStoreSacl Proper ty of

.IAzApplication.ApplyStoreSacl IAzApplication
Microsoft.Interop.Security.Azroles Read/write AuthzInterfaceClsid Proper ty of

.IAzApplication.AuthzInterfaceClsi IAzApplication
d
Microsoft.Interop.Security.Azroles Read-only DelegatedPolicyUsers Proper ty of

.IAzApplication.DelegatedPolicyUs IAzApplication
ers
Microsoft.Interop.Security.Azroles Read-only DelegatedPolicyUsersName

.IAzApplication.DelegatedPolicyUs Proper ty of IAzApplication
ersName
Microsoft.Interop.Security.Azroles Read/write Description Proper ty of

.IAzApplication.Description IAzApplication
Microsoft.Interop.Security.Azroles Read/write GenerateAudits Proper ty of

.IAzApplication.GenerateAudits IAzApplication
Microsoft.Interop.Security.Azroles Read/write Name Proper ty of IAzApplication

.IAzApplication.Name
Microsoft.Interop.Security.Azroles Read-only Operations Proper ty of

.IAzApplication.Operations IAzApplication
Microsoft.Interop.Security.Azroles Read-only PolicyAdministrators Proper ty of

.IAzApplication.PolicyAdministrat IAzApplication
ors
Microsoft.Interop.Security.Azroles Read-only PolicyAdministratorsName

.IAzApplication.PolicyAdministrat Proper ty of IAzApplication
orsName
Microsoft.Interop.Security.Azroles Read-only PolicyReaders Proper ty of

.IAzApplication.PolicyReaders IAzApplication
Microsoft.Interop.Security.Azroles Read-only PolicyReadersName Proper ty of

.IAzApplication.PolicyReadersNam IAzApplication
e
Microsoft.Interop.Security.Azroles Read-only Roles Proper ty of IAzApplication

.IAzApplication.Roles
Microsoft.Interop.Security.Azroles Read-only Scopes Proper ty of

.IAzApplication.Scopes IAzApplication
Microsoft.Interop.Security.Azroles Read-only Tasks Proper ty of IAzApplication

.IAzApplication.Tasks
Microsoft.Interop.Security.Azroles Read/write Version Proper ty of

.IAzApplication.Version IAzApplication
Microsoft.Interop.Security.Azroles Read-only Writable Proper ty of

.IAzApplication.Writable IAzApplication
Requirements
Assembly
Microsoft.Interop.Security.Azroles.dll
interface
The Microsoft.Interop.Security.Azroles.IAzApplication2 interoperability wrapper methods and properties

Members
The Microsoft.Interop.Security.AzRoles.IAzApplication2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplication2 interface has these methods.
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddDelegatedPolicyUser
ddDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddDelegatedPolicyUserName
ddDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddPolicyAdministrator
ddPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddPolicyAdministratorName
ddPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddPolicyReader
ddPolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddPolicyReaderName
ddPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication2.A IAzApplication::AddProper tyItem

ddProper tyItem
Microsoft.Interop.Security.Azroles.IAzApplication2.Cr IAzApplication::CreateApplicationGroup
eateApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication2.Cr IAzApplication::CreateOperation
eateOperation
Microsoft.Interop.Security.Azroles.IAzApplication2.Cr IAzApplication::CreateRole
eateRole
Microsoft.Interop.Security.Azroles.IAzApplication2.Cr IAzApplication::CreateScope
eateScope
Microsoft.Interop.Security.Azroles.IAzApplication2.Cr IAzApplication::CreateTask
eateTask
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteApplicationGroup
eleteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteDelegatedPolicyUser
eleteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteDelegatedPolicyUserName
eleteDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteOperation
eleteOperation
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeletePolicyAdministrator
eletePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeletePolicyAdministratorName
eletePolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeletePolicyReader
eletePolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeletePolicyReaderName
eletePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteProper tyItem

eleteProper tyItem
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteRole
eleteRole
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteScope
eleteScope
Microsoft.Interop.Security.Azroles.IAzApplication2.D IAzApplication::DeleteTask
eleteTask
Microsoft.Interop.Security.Azroles.IAzApplication2.G IAzApplication::GetProper ty
etProper ty
Microsoft.Interop.Security.Azroles.IAzApplication2.In IAzApplication2::InitializeClientContext2
itializeClientContext2
Microsoft.Interop.Security.Azroles.IAzApplication2.In IAzApplication::InitializeClientContextFromName
itializeClientContextFromName
Microsoft.Interop.Security.Azroles.IAzApplication2.In IAzApplication::InitializeClientContextFromStringSid
itializeClientContextFromStringSid
Microsoft.Interop.Security.Azroles.IAzApplication2.In IAzApplication::InitializeClientContextFromToken
itializeClientContextFromToken
Microsoft.Interop.Security.Azroles.IAzApplication2.In IAzApplication2::InitializeClientContextFromToken2
itializeClientContextFromToken2
Microsoft.Interop.Security.Azroles.IAzApplication2.O IAzApplication::OpenApplicationGroup
penApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication2.O IAzApplication::OpenOperation
penOperation
Microsoft.Interop.Security.Azroles.IAzApplication2.O IAzApplication::OpenRole
penRole
Microsoft.Interop.Security.Azroles.IAzApplication2.O IAzApplication::OpenScope
penScope
Microsoft.Interop.Security.Azroles.IAzApplication2.O IAzApplication::OpenTask
penTask
Microsoft.Interop.Security.Azroles.IAzApplication2.Se IAzApplication::SetProper ty
tProper ty
Microsoft.Interop.Security.Azroles.IAzApplication2.Su IAzApplication::Submit
bmit
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplication2 interface has these properties.

.IAzApplication2.ApplicationData IAzApplication

.IAzApplication2.ApplicationGrou IAzApplication
ps

.IAzApplication2.ApplyStoreSacl IAzApplication

.IAzApplication2.AuthzInterfaceCl IAzApplication
sid

.IAzApplication2.DelegatedPolicy IAzApplication
Users

.IAzApplication2.DelegatedPolicy Proper ty of IAzApplication
UsersName

.IAzApplication2.Description IAzApplication

.IAzApplication2.GenerateAudits IAzApplication

.IAzApplication2.Name

.IAzApplication2.Operations IAzApplication

.IAzApplication2.PolicyAdministra IAzApplication
tors

.IAzApplication2.PolicyAdministra Proper ty of IAzApplication
torsName

.IAzApplication2.PolicyReaders IAzApplication

.IAzApplication2.PolicyReadersNa IAzApplication
me

.IAzApplication2.Roles

.IAzApplication2.Scopes IAzApplication

.IAzApplication2.Tasks

.IAzApplication2.Version IAzApplication

.IAzApplication2.Writable IAzApplication
Requirements
Assembly
interface
The Microsoft.Interop.Security.Azroles.IAzApplication3 interoperability wrapper methods and properties

Members
The Microsoft.Interop.Security.AzRoles.IAzApplication3 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplication3 interface has these methods.
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddDelegatedPolicyUser
ddDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddDelegatedPolicyUserName
ddDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddPolicyAdministrator
ddPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddPolicyAdministratorName
ddPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddPolicyReader
ddPolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddPolicyReaderName
ddPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication3.A IAzApplication::AddProper tyItem

ddProper tyItem
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication::CreateApplicationGroup
eateApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication::CreateOperation
eateOperation
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication::CreateRole
eateRole
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication3::CreateRoleAssignment
eateRoleAssignment
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication3::CreateRoleDefinition
eateRoleDefinition
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication::CreateScope
eateScope
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication3::CreateScope2
eateScope2
Microsoft.Interop.Security.Azroles.IAzApplication3.Cr IAzApplication::CreateTask
eateTask
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteApplicationGroup
eleteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteDelegatedPolicyUser
eleteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteDelegatedPolicyUserName
eleteDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteOperation
eleteOperation
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeletePolicyAdministrator
eletePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeletePolicyAdministratorName
eletePolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeletePolicyReader
eletePolicyReader
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeletePolicyReaderName
eletePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteProper tyItem

eleteProper tyItem
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteRole
eleteRole
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication3::DeleteRoleAssignment
eleteRoleAssignment
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication3::DeleteRoleDefinition
eleteRoleDefinition
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteScope
eleteScope
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication3::DeleteScope2
eleteScope2
Microsoft.Interop.Security.Azroles.IAzApplication3.D IAzApplication::DeleteTask
eleteTask
Microsoft.Interop.Security.Azroles.IAzApplication3.G IAzApplication::GetProper ty
etProper ty
Microsoft.Interop.Security.Azroles.IAzApplication3.In IAzApplication2::InitializeClientContext2
itializeClientContext2
Microsoft.Interop.Security.Azroles.IAzApplication3.In IAzApplication::InitializeClientContextFromName
itializeClientContextFromName
Microsoft.Interop.Security.Azroles.IAzApplication3.In IAzApplication::InitializeClientContextFromStringSid
itializeClientContextFromStringSid
Microsoft.Interop.Security.Azroles.IAzApplication3.In IAzApplication::InitializeClientContextFromToken
itializeClientContextFromToken
Microsoft.Interop.Security.Azroles.IAzApplication3.In IAzApplication2::InitializeClientContextFromToken2
itializeClientContextFromToken2
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication::OpenApplicationGroup
penApplicationGroup
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication::OpenOperation
penOperation
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication::OpenRole
penRole
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication3::OpenRoleAssignment
penRoleAssignment
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication3::OpenRoleDefinition
penRoleDefinition
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication::OpenScope
penScope
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication3::OpenScope2
penScope2
Microsoft.Interop.Security.Azroles.IAzApplication3.O IAzApplication::OpenTask
penTask
Microsoft.Interop.Security.Azroles.IAzApplication3.Sc IAzApplication3::ScopeExists
opeExists
Microsoft.Interop.Security.Azroles.IAzApplication3.Se IAzApplication::SetProper ty
tProper ty
Microsoft.Interop.Security.Azroles.IAzApplication3.Su IAzApplication::Submit
bmit
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplication3 interface has these properties.

.IAzApplication3.ApplicationData IAzApplication

.IAzApplication3.ApplicationGrou IAzApplication
ps

.IAzApplication3.ApplyStoreSacl IAzApplication

.IAzApplication3.AuthzInterfaceCl IAzApplication
sid

Users

.IAzApplication3.DelegatedPolicy Proper ty of IAzApplication
UsersName

UsersName

.IAzApplication3.GenerateAudits IAzApplication

.IAzApplication3.Name

.IAzApplication3.Operations IAzApplication

.IAzApplication3.PolicyAdministra IAzApplication
tors

.IAzApplication3.PolicyAdministra Proper ty of IAzApplication
torsName

.IAzApplication3.PolicyReaders IAzApplication

.IAzApplication3.PolicyReadersNa IAzApplication
me
Microsoft.Interop.Security.Azroles Read-only RoleAssignments Proper ty of

.IAzApplication3.RoleAssignments IAzApplication3
Microsoft.Interop.Security.Azroles Read-only RoleDefinitions Proper ty of

.IAzApplication3.RoleDefinitions IAzApplication3

.IAzApplication3.Roles

.IAzApplication3.Scopes IAzApplication

.IAzApplication3.Tasks

.IAzApplication3.Version IAzApplication

.IAzApplication3.Writable IAzApplication
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzApplicationGroup
interface
The Microsoft.Interop.Security.Azroles.IAzApplicationGroup interoperability wrapper methods and

properties are documented under the COM version of the method or property. A link to the correlating COM
Members
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup interface has these methods.
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddAppMember
up.AddAppMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddAppNonMember
up.AddAppNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddMember
up.AddMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddMemberName
up.AddMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddNonMember
up.AddNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddNonMemberName
up.AddNonMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddProper tyItem

up.AddProper tyItem
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteAppMember
up.DeleteAppMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteAppNonMember
up.DeleteAppNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteMember
up.DeleteMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteMemberName
up.DeleteMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteNonMember
up.DeleteNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteNonMemberName
up.DeleteNonMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteProper tyItem

up.DeleteProper tyItem
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::GetProper ty
up.GetProper ty
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::SetProper ty
up.SetProper ty
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::Submit
up.Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup interface has these properties.
Microsoft.Interop.Security.Azroles Read-only AppMembers Proper ty of

.IAzApplicationGroup.AppMembe IAzApplicationGroup
rs
Microsoft.Interop.Security.Azroles Read-only AppNonMembers Proper ty of

.IAzApplicationGroup.AppNonMe IAzApplicationGroup
mbers

.IAzApplicationGroup.Description IAzApplicationGroup
Microsoft.Interop.Security.Azroles Read/write LdapQuer y Proper ty of

.IAzApplicationGroup.LdapQuer y IAzApplicationGroup
Microsoft.Interop.Security.Azroles Read-only Members Proper ty of

.IAzApplicationGroup.Members IAzApplicationGroup
Microsoft.Interop.Security.Azroles Read-only MembersName Proper ty of

.IAzApplicationGroup.MembersNa IAzApplicationGroup
me
Microsoft.Interop.Security.Azroles Read/write Name Proper ty of

.IAzApplicationGroup.Name IAzApplicationGroup
Microsoft.Interop.Security.Azroles Read-only NonMembers Proper ty of

.IAzApplicationGroup.NonMembe IAzApplicationGroup
rs
Microsoft.Interop.Security.Azroles Read-only NonMembersName Proper ty of

.IAzApplicationGroup.NonMembe IAzApplicationGroup
rsName
Microsoft.Interop.Security.Azroles Read/write Type Proper ty of

.IAzApplicationGroup.Type IAzApplicationGroup

.IAzApplicationGroup.Writable IAzApplicationGroup
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzApplicationGroup2
interface
The Microsoft.Interop.Security.Azroles.IAzApplicationGroup2 interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup2 interface has these methods.
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddAppMember
up2.AddAppMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddAppNonMember
up2.AddAppNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddMember
up2.AddMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddMemberName
up2.AddMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddNonMember
up2.AddNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddNonMemberName
up2.AddNonMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::AddProper tyItem

up2.AddProper tyItem
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteAppMember
up2.DeleteAppMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteAppNonMember
up2.DeleteAppNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteMember
up2.DeleteMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteMemberName
up2.DeleteMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteNonMember
up2.DeleteNonMember
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteNonMemberName
up2.DeleteNonMemberName
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::DeleteProper tyItem

up2.DeleteProper tyItem
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::GetProper ty
up2.GetProper ty
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup2::RoleAssignments
up2.RoleAssignments
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::SetProper ty
up2.SetProper ty
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroup::Submit
up2.Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroup2 interface has these properties.
Microsoft.Interop.Security.Azroles Read-only AppMembers Proper ty of

.IAzApplicationGroup2.AppMemb IAzApplicationGroup
ers
Microsoft.Interop.Security.Azroles Read-only AppNonMembers Proper ty of

.IAzApplicationGroup2.AppNonM IAzApplicationGroup
embers
Microsoft.Interop.Security.Azroles Read/write BizRule Proper ty of

.IAzApplicationGroup2.BizRule IAzApplicationGroup2
Microsoft.Interop.Security.Azroles Read/write BizRuleImpor tedPath Proper ty of

.IAzApplicationGroup2.BizRuleIm IAzApplicationGroup2
por tedPath
Microsoft.Interop.Security.Azroles Read/write BizRuleLanguage Proper ty of

.IAzApplicationGroup2.BizRuleLan IAzApplicationGroup2
guage

.IAzApplicationGroup2.Descriptio IAzApplicationGroup
n
Microsoft.Interop.Security.Azroles Read/write LdapQuer y Proper ty of

.IAzApplicationGroup2.LdapQuer IAzApplicationGroup
y
Microsoft.Interop.Security.Azroles Read-only Members Proper ty of

.IAzApplicationGroup2.Members IAzApplicationGroup

.IAzApplicationGroup2.MembersN IAzApplicationGroup
ame
Microsoft.Interop.Security.Azroles Read/write Name Proper ty of

.IAzApplicationGroup2.Name IAzApplicationGroup
Microsoft.Interop.Security.Azroles Read-only NonMembers Proper ty of

.IAzApplicationGroup2.NonMemb IAzApplicationGroup
ers
Microsoft.Interop.Security.Azroles Read-only NonMembersName Proper ty of

.IAzApplicationGroup2.NonMemb IAzApplicationGroup
ersName
Microsoft.Interop.Security.Azroles Read/write Type Proper ty of

.IAzApplicationGroup2.Type IAzApplicationGroup

.IAzApplicationGroup2.Writable IAzApplicationGroup
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzApplicationGroups
interface
The Microsoft.Interop.Security.Azroles.IAzApplicationGroups interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroups interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroups interface has these methods.
Microsoft.Interop.Security.Azroles.IAzApplicationGro IAzApplicationGroups::_NewEnum
ups.GetEnumerator
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplicationGroups interface has these properties.
Microsoft.Interop.Security.Azroles Read-only Count Proper ty of

.IAzApplicationGroups.Count IAzApplicationGroups
Microsoft.Interop.Security.Azroles Read-only Item Proper ty of

.IAzApplicationGroups.Item IAzApplicationGroups
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzApplications
interface
The Microsoft.Interop.Security.Azroles.IAzApplications interoperability wrapper methods and properties

Members
The Microsoft.Interop.Security.AzRoles.IAzApplications interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzApplications interface has these methods.
Microsoft.Interop.Security.Azroles.IAzApplications.Ge IAzApplications::_NewEnum
tEnumerator
Properties
The Microsoft.Interop.Security.AzRoles.IAzApplications interface has these properties.

.IAzApplications.Count IAzApplications
Microsoft.Interop.Security.Azroles Read-only Item Proper ty of IAzApplications

.IAzApplications.Item
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore
interface
The Microsoft.Interop.Security.Azroles.IAzAuthorizationStore interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore interface has these methods.
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddDelegatedPolicyUser
ore.AddDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddDelegatedPolicyUserNam
ore.AddDelegatedPolicyUserName e
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddPolicyAdministrator
ore.AddPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddPolicyAdministratorName
ore.AddPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddPolicyReader
ore.AddPolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddPolicyReaderName
ore.AddPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::AddProper tyItem

ore.AddProper tyItem
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::CloseApplication
ore.CloseApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::CreateApplication
ore.CreateApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::CreateApplicationGroup
ore.CreateApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::Delete
ore.Delete
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeleteApplication
ore.DeleteApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeleteApplicationGroup
ore.DeleteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeleteDelegatedPolicyUser
ore.DeleteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeleteDelegatedPolicyUserNa
ore.DeleteDelegatedPolicyUserName me
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeletePolicyAdministrator
ore.DeletePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeletePolicyAdministratorNa
ore.DeletePolicyAdministratorName me
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeletePolicyReader
ore.DeletePolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeletePolicyReaderName
ore.DeletePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::DeleteProper tyItem

ore.DeleteProper tyItem
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::GetProper ty
ore.GetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::Initialize
ore.Initialize
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::OpenApplication
ore.OpenApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::OpenApplicationGroup
ore.OpenApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::SetProper ty
ore.SetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::Submit
ore.Submit
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore::UpdateCache
ore.UpdateCache
Properties
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore interface has these properties.

.IAzAuthorizationStore.Applicatio IAzAuthorizationStore
nData

nGroups
Microsoft.Interop.Security.Azroles Read-only Applications Proper ty of

ns

.IAzAuthorizationStore.ApplyStore IAzAuthorizationStore
Sacl

.IAzAuthorizationStore.Delegated IAzAuthorizationStore
PolicyUsers

.IAzAuthorizationStore.Delegated Proper ty of
PolicyUsersName IAzAuthorizationStore

.IAzAuthorizationStore.Descriptio IAzAuthorizationStore
n
Microsoft.Interop.Security.Azroles Read/write DomainTimeout Proper ty of

.IAzAuthorizationStore.DomainTi IAzAuthorizationStore
meout

.IAzAuthorizationStore.GenerateA IAzAuthorizationStore
udits
Microsoft.Interop.Security.Azroles Read/write MaxScriptEngines Proper ty of

.IAzAuthorizationStore.MaxScript IAzAuthorizationStore
Engines

.IAzAuthorizationStore.PolicyAdmi IAzAuthorizationStore
nistrators

.IAzAuthorizationStore.PolicyAdmi Proper ty of
nistratorsName IAzAuthorizationStore

.IAzAuthorizationStore.PolicyRead IAzAuthorizationStore
ers

.IAzAuthorizationStore.PolicyRead IAzAuthorizationStore
ersName
Microsoft.Interop.Security.Azroles Read/write ScriptEngineTimeout Proper ty of

.IAzAuthorizationStore.ScriptEngi IAzAuthorizationStore
neTimeout
Microsoft.Interop.Security.Azroles Read-only TargetMachine Proper ty of

.IAzAuthorizationStore.TargetMac IAzAuthorizationStore
hine

.IAzAuthorizationStore.Writable IAzAuthorizationStore
Requirements
Assembly
interface
The Microsoft.Interop.Security.Azroles.IAzAuthorizationStore2 interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2 interface has these methods.
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddDelegatedPolicyUser
ore2.AddDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddDelegatedPolicyUserName
ore2.AddDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyAdministrator
ore2.AddPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyAdministratorName
ore2.AddPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyReader
ore2.AddPolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyReaderName
ore2.AddPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddProper tyItem

ore2.AddProper tyItem
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CloseApplication
ore2.CloseApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CreateApplication
ore2.CreateApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore2::CreateApplication2
ore2.CreateApplication2
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CreateApplicationGroup
ore2.CreateApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Delete
ore2.Delete
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteApplication
ore2.DeleteApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteApplicationGroup
ore2.DeleteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteDelegatedPolicyUser
ore2.DeleteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteDelegatedPolicyUserNa
ore2.DeleteDelegatedPolicyUserName me
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyAdministrator
ore2.DeletePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyAdministratorNam
ore2.DeletePolicyAdministratorName e
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyReader
ore2.DeletePolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyReaderName
ore2.DeletePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteProper tyItem

ore2.DeleteProper tyItem
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::GetProper ty
ore2.GetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Initialize
ore2.Initialize
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::OpenApplication
ore2.OpenApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore2::OpenApplication2
ore2.OpenApplication2
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::OpenApplicationGroup
ore2.OpenApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::SetProper ty
ore2.SetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Submit
ore2.Submit
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::UpdateCache
ore2.UpdateCache
Properties
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore2 interface has these properties.

.IAzAuthorizationStore2.Applicati AzAuthorizationStore
onData

onGroups

ons

.IAzAuthorizationStore2.ApplySto AzAuthorizationStore
reSacl

.IAzAuthorizationStore2.Delegate AzAuthorizationStore
dPolicyUsers

.IAzAuthorizationStore2.Delegate Proper ty of AzAuthorizationStore
dPolicyUsersName

.IAzAuthorizationStore2.Descripti AzAuthorizationStore
on

.IAzAuthorizationStore2.DomainTi AzAuthorizationStore
meout

.IAzAuthorizationStore2.Generate AzAuthorizationStore
Audits

.IAzAuthorizationStore2.MaxScrip AzAuthorizationStore
tEngines

.IAzAuthorizationStore2.PolicyAd AzAuthorizationStore
ministrators

.IAzAuthorizationStore2.PolicyAd Proper ty of AzAuthorizationStore
ministratorsName

.IAzAuthorizationStore2.PolicyRea AzAuthorizationStore
ders

dersName

.IAzAuthorizationStore2.ScriptEng AzAuthorizationStore
ineTimeout

.IAzAuthorizationStore2.TargetMa AzAuthorizationStore
chine

.IAzAuthorizationStore2.Writable AzAuthorizationStore
Requirements
Assembly
interface
The Microsoft.Interop.Security.Azroles.IAzAuthorizationStore3 interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore3 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore3 interface has these methods.
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddDelegatedPolicyUser
ore3.AddDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddDelegatedPolicyUserName
ore3.AddDelegatedPolicyUserName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyAdministrator
ore3.AddPolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyAdministratorName
ore3.AddPolicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyReader
ore3.AddPolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddPolicyReaderName
ore3.AddPolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::AddProper tyItem

ore3.AddProper tyItem
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore3::BizruleGroupSuppor ted

ore3.BizruleGroupSuppor ted
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CloseApplication
ore3.CloseApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CreateApplication
ore3.CreateApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore2::CreateApplication2
ore3.CreateApplication2
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::CreateApplicationGroup
ore3.CreateApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Delete
ore3.Delete
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteApplication
ore3.DeleteApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteApplicationGroup
ore3.DeleteApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteDelegatedPolicyUser
ore3.DeleteDelegatedPolicyUser
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteDelegatedPolicyUserNa
ore3.DeleteDelegatedPolicyUserName me
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyAdministrator
ore3.DeletePolicyAdministrator
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyAdministratorNam
ore3.DeletePolicyAdministratorName e
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyReader
ore3.DeletePolicyReader
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeletePolicyReaderName
ore3.DeletePolicyReaderName
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::DeleteProper tyItem

ore3.DeleteProper tyItem
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::GetProper ty
ore3.GetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore3::GetSchemaVersion
ore3.GetSchemaVersion
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Initialize
ore3.Initialize
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore3::IsFunctionalLevelUpgradeSu
ore3.IsFunctionalLevelUpgradeSuppor ted ppor ted
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore3::IsUpdateNeeded
ore3.IsUpdateNeeded
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::OpenApplication
ore3.OpenApplication
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore2::OpenApplication2
ore3.OpenApplication2
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::OpenApplicationGroup
ore3.OpenApplicationGroup
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::SetProper ty
ore3.SetProper ty
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::Submit
ore3.Submit
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt AzAuthorizationStore::UpdateCache
ore3.UpdateCache
Microsoft.Interop.Security.Azroles.IAzAuthorizationSt IAzAuthorizationStore3::UpgradeStoresFunctionalLev
ore3.UpgradeStoresFunctionalLevel el
Properties
The Microsoft.Interop.Security.AzRoles.IAzAuthorizationStore3 interface has these properties.

onData

onGroups

ons

.IAzAuthorizationStore3.ApplySto AzAuthorizationStore
reSacl

.IAzAuthorizationStore3.Delegate AzAuthorizationStore
dPolicyUsers

.IAzAuthorizationStore3.Delegate Proper ty of AzAuthorizationStore
dPolicyUsersName

.IAzAuthorizationStore3.Descripti AzAuthorizationStore
on

.IAzAuthorizationStore3.DomainTi AzAuthorizationStore
meout

.IAzAuthorizationStore3.Generate AzAuthorizationStore
Audits

.IAzAuthorizationStore3.MaxScrip AzAuthorizationStore
tEngines

.IAzAuthorizationStore3.PolicyAd AzAuthorizationStore
ministrators

.IAzAuthorizationStore3.PolicyAd Proper ty of AzAuthorizationStore
ministratorsName

ders

dersName

.IAzAuthorizationStore3.ScriptEng AzAuthorizationStore
ineTimeout

.IAzAuthorizationStore3.TargetMa AzAuthorizationStore
chine

.IAzAuthorizationStore3.Writable AzAuthorizationStore
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzBizRuleContext
interface
The Microsoft.Interop.Security.Azroles.IAzBizRuleContext interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzBizRuleContext interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzBizRuleContext interface has these methods.
Microsoft.Interop.Security.Azroles.IAzBizRuleContext. IAzBizRuleContext::GetParameter
GetParameter
Properties
The Microsoft.Interop.Security.AzRoles.IAzBizRuleContext interface has these properties.
Microsoft.Interop.Security.Azroles Write-only BusinessRuleResult Proper ty of

.IAzBizRuleContext.BusinessRuleR IAzBizRuleContext
esult
Microsoft.Interop.Security.Azroles Read/write BusinessRuleString Proper ty of

.IAzBizRuleContext.BusinessRuleSt IAzBizRuleContext
ring
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzBizRuleInterfaces
interface
The Microsoft.Interop.Security.Azroles.IAzBizRuleInterfaces interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzBizRuleInterfaces interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzBizRuleInterfaces interface has these methods.
Microsoft.Interop.Security.Azroles.IAzBizRuleInterfac IAzBizRuleInterfaces::AddInterface
es.AddInterface
Microsoft.Interop.Security.Azroles.IAzBizRuleInterfac IAzBizRuleInterfaces::AddInterfaces
es.AddInterfaces
Microsoft.Interop.Security.Azroles.IAzBizRuleInterfac IAzBizRuleInterfaces::GetInterfaceValue
es.GetInterfaceValue
Microsoft.Interop.Security.Azroles.IAzBizRuleInterfac IAzBizRuleInterfaces::Remove
es.Remove
Microsoft.Interop.Security.Azroles.IAzBizRuleInterfac IAzBizRuleInterfaces::RemoveAll
es.RemoveAll
Properties
The Microsoft.Interop.Security.AzRoles.IAzBizRuleInterfaces interface has these properties.

.IAzBizRuleInterfaces.Count IAzBizRuleInterfaces
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzBizRuleParameters
interface
The Microsoft.Interop.Security.Azroles.IAzBizRuleParameters interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzBizRuleParameters interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzBizRuleParameters interface has these methods.
Microsoft.Interop.Security.Azroles.IAzBizRuleParamet IAzBizRuleParameters::AddParameter
ers.AddParameter
Microsoft.Interop.Security.Azroles.IAzBizRuleParamet IAzBizRuleParameters::AddParameters
ers.AddParameters
Microsoft.Interop.Security.Azroles.IAzBizRuleParamet IAzBizRuleParameters::GetParameterValue
ers.GetParameterValue
Microsoft.Interop.Security.Azroles.IAzBizRuleParamet IAzBizRuleParameters::Remove
ers.Remove
Microsoft.Interop.Security.Azroles.IAzBizRuleParamet IAzBizRuleParameters::RemoveAll
ers.RemoveAll
Properties
The Microsoft.Interop.Security.AzRoles.IAzBizRuleParameters interface has these properties.

.IAzBizRuleParameters.Count IAzBizRuleParameters
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzClientContext
interface
The Microsoft.Interop.Security.Azroles.IAzClientContext interoperability wrapper methods and properties

Members
The Microsoft.Interop.Security.AzRoles.IAzClientContext interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzClientContext interface has these methods.
Microsoft.Interop.Security.Azroles.IAzClientContext. IAzClientContext::AccessCheck
AccessCheck
Microsoft.Interop.Security.Azroles.IAzClientContext. IAzClientContext::GetBusinessRuleString
GetBusinessRuleString
Microsoft.Interop.Security.Azroles.IAzClientContext. IAzClientContext::GetProper ty
GetProper ty
Microsoft.Interop.Security.Azroles.IAzClientContext. IAzClientContext::GetRoles
GetRoles
Properties
The Microsoft.Interop.Security.AzRoles.IAzClientContext interface has these properties.
Microsoft.Interop.Security.Azroles Read/write RoleForAccessCheck Proper ty of

.IAzClientContext.RoleForAccessC IAzClientContext
heck
Microsoft.Interop.Security.Azroles Read-only UserCanonical Proper ty of

.IAzClientContext.UserCanonical IAzClientContext
Microsoft.Interop.Security.Azroles Read-only UserDisplay Proper ty of

.IAzClientContext.UserDisplay IAzClientContext
Microsoft.Interop.Security.Azroles Read-only UserDn Proper ty of

.IAzClientContext.UserDn IAzClientContext
Microsoft.Interop.Security.Azroles Read-only UserDnsSamCompat Proper ty of

.IAzClientContext.UserDnsSamCo IAzClientContext
mpat
Microsoft.Interop.Security.Azroles Read-only UserGuid Proper ty of

.IAzClientContext.UserGuid IAzClientContext
Microsoft.Interop.Security.Azroles Read-only UserSamCompat Proper ty of

.IAzClientContext.UserSamCompa IAzClientContext
t
Microsoft.Interop.Security.Azroles Read-only UserUpn Proper ty of

.IAzClientContext.UserUpn IAzClientContext
Requirements
Assembly
interface
The Microsoft.Interop.Security.Azroles.IAzClientContext2 interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzClientContext2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzClientContext2 interface has these methods.
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext::AccessCheck
AccessCheck
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext2::AddApplicationGroups
AddApplicationGroups
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext2::AddRoles
AddRoles
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext2::AddStringSids
AddStringSids
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext2::GetAssignedScopesPage
GetAssignedScopesPage
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext::GetBusinessRuleString
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext::GetProper ty
GetProper ty
Microsoft.Interop.Security.Azroles.IAzClientContext2. IAzClientContext::GetRoles
GetRoles
Properties
The Microsoft.Interop.Security.AzRoles.IAzClientContext2 interface has these properties.
Microsoft.Interop.Security.Azroles Read/write LDAPQuer yDN Proper ty of

.IAzClientContext2.LDAPQuer yDN IAzClientContext2

.IAzClientContext2.RoleForAccess IAzClientContext
Check

.IAzClientContext2.UserCanonical IAzClientContext

.IAzClientContext2.UserDisplay IAzClientContext

.IAzClientContext2.UserDn IAzClientContext

.IAzClientContext2.UserDnsSamC IAzClientContext
ompat

.IAzClientContext2.UserGuid IAzClientContext

.IAzClientContext2.UserSamComp IAzClientContext
at

.IAzClientContext2.UserUpn IAzClientContext
Requirements
Assembly
interface
The Microsoft.Interop.Security.Azroles.IAzClientContext3 interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzClientContext3 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzClientContext3 interface has these methods.
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext::AccessCheck
AccessCheck
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext3::AccessCheck2
AccessCheck2
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext2::AddApplicationGroups
AddApplicationGroups
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext2::AddRoles
AddRoles
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext2::AddStringSids
AddStringSids
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext2::GetAssignedScopesPage
GetAssignedScopesPage
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext::GetBusinessRuleString
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext3::GetGroups
GetGroups
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext3::GetOperations
GetOperations
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext::GetProper ty
GetProper ty
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext::GetRoles
GetRoles
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext3::GetTasks
GetTasks
Microsoft.Interop.Security.Azroles.IAzClientContext3. IAzClientContext3::IsInRoleAssignment
IsInRoleAssignment
Properties
The Microsoft.Interop.Security.AzRoles.IAzClientContext3 interface has these properties.
Microsoft.Interop.Security.Azroles Read-only BizRuleInterfaces Proper ty of

.IAzClientContext3.BizRuleInterfa IAzClientContext3
ces
Microsoft.Interop.Security.Azroles Read-only BizRuleParameters Proper ty of

.IAzClientContext3.BizRuleParame IAzClientContext3
ters
Microsoft.Interop.Security.Azroles Read/write LDAPQuer yDN Proper ty of

.IAzClientContext3.LDAPQuer yDN IAzClientContext2

.IAzClientContext3.RoleForAccess IAzClientContext
Check
Microsoft.Interop.Security.Azroles Read-only Sids Proper ty of

.IAzClientContext3.Sids IAzClientContext3

.IAzClientContext3.UserCanonical IAzClientContext

.IAzClientContext3.UserDisplay IAzClientContext

.IAzClientContext3.UserDn IAzClientContext

.IAzClientContext3.UserDnsSamC IAzClientContext
ompat

.IAzClientContext3.UserGuid IAzClientContext

.IAzClientContext3.UserSamComp IAzClientContext
at

.IAzClientContext3.UserUpn IAzClientContext
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzNameResolver
interface
The Microsoft.Interop.Security.Azroles.IAzNameResolver interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzNameResolver interface has these types of members:
Methods
Methods
The Microsoft.Interop.Security.AzRoles.IAzNameResolver interface has these methods.
Microsoft.Interop.Security.Azroles.IAzNameResolver. IAzNameResolver ::NameFromSid

NameFromSid
Microsoft.Interop.Security.Azroles.IAzNameResolver. IAzNameResolver ::NamesFromSids

NamesFromSids
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzObjectPicker
interface
The Microsoft.Interop.Security.Azroles.IAzObjectPicker interoperability wrapper methods and properties

Members
The Microsoft.Interop.Security.AzRoles.IAzObjectPicker interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzObjectPicker interface has these methods.
Microsoft.Interop.Security.Azroles.IAzObjectPicker.Ge IAzObjectPicker ::GetPrincipals

tPrincipals
Properties
The Microsoft.Interop.Security.AzRoles.IAzObjectPicker interface has these properties.
Microsoft.Interop.Security.Azroles Read-only Name Proper ty of

.IAzObjectPicker.Name IAzObjectPicker
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzOperation
interface
The Microsoft.Interop.Security.Azroles.IAzOperation interoperability wrapper methods and properties are

documented under the COM version of the method or property. A link to the correlating COM documentation
follows each member name.
Members
The Microsoft.Interop.Security.AzRoles.IAzOperation interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzOperation interface has these methods.
Microsoft.Interop.Security.Azroles.IAzOperation.GetP IAzOperation::GetProper ty
roper ty
Microsoft.Interop.Security.Azroles.IAzOperation.SetP IAzOperation::SetProper ty
roper ty
Microsoft.Interop.Security.Azroles.IAzOperation.Sub IAzOperation::Submit
mit
Properties
The Microsoft.Interop.Security.AzRoles.IAzOperation interface has these properties.

.IAzOperation.ApplicationData IAzOperation

.IAzOperation.Description IAzOperation
Microsoft.Interop.Security.Azroles Read/write Name Proper ty of IAzOperation

.IAzOperation.Name
Microsoft.Interop.Security.Azroles Read/write OperationID Proper ty of

.IAzOperation.OperationID IAzOperation

.IAzOperation.Writable IAzOperation
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzOperation2
interface
The Microsoft.Interop.Security.Azroles.IAzOperation2 interoperability wrapper methods and properties

Members
The Microsoft.Interop.Security.AzRoles.IAzOperation2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzOperation2 interface has these methods.
Microsoft.Interop.Security.Azroles.IAzOperation2.Get IAzOperation::GetProper ty
Proper ty
Microsoft.Interop.Security.Azroles.IAzOperation2.Rol IAzOperation2::RoleAssignments
eAssignments
Microsoft.Interop.Security.Azroles.IAzOperation2.Set IAzOperation::SetProper ty
Proper ty
Microsoft.Interop.Security.Azroles.IAzOperation2.Su IAzOperation::Submit
bmit
Properties
The Microsoft.Interop.Security.AzRoles.IAzOperation2 interface has these properties.

.IAzOperation2.ApplicationData IAzOperation

.IAzOperation2.Description IAzOperation
Microsoft.Interop.Security.Azroles Read/write Name Proper ty of IAzOperation

.IAzOperation2.Name
Microsoft.Interop.Security.Azroles Read/write OperationID Proper ty of

.IAzOperation2.OperationID IAzOperation

.IAzOperation2.Writable IAzOperation
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzOperations
interface
The Microsoft.Interop.Security.Azroles.IAzOperations interoperability wrapper methods and properties

Members
The Microsoft.Interop.Security.AzRoles.IAzOperations interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzOperations interface has these methods.
Microsoft.Interop.Security.Azroles.IAzOperations.Get IAzOperations::_NewEnum
Enumerator
Properties
The Microsoft.Interop.Security.AzRoles.IAzOperations interface has these properties.
Microsoft.Interop.Security.Azroles Read-only Count Proper ty of IAzOperations

.IAzOperations.Count
Microsoft.Interop.Security.Azroles Read-only Item Proper ty of IAzOperations

.IAzOperations.Item
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzPrincipalLocator
interface
The Microsoft.Interop.Security.Azroles.IAzNameResolver interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzPrincipalLocator interface has these types of members:
Methods
Methods
The Microsoft.Interop.Security.AzRoles.IAzPrincipalLocator interface has these methods.
Microsoft.Interop.Security.Azroles.IAzNameResolver. IAzNameResolver ::NameFromSid

NameFromSid
Microsoft.Interop.Security.Azroles.IAzNameResolver. IAzNameResolver ::NamesFromSids

NamesFromSids
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzRole interface
The Microsoft.Interop.Security.Azroles.IAzRole interoperability wrapper methods and properties are

Members
The Microsoft.Interop.Security.AzRoles.IAzRole interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRole interface has these methods.
Microsoft.Interop.Security.Azroles.IAzRole.AddAppM IAzRole::AddAppMember
ember
Microsoft.Interop.Security.Azroles.IAzRole.AddMemb IAzRole::AddMember
er
Microsoft.Interop.Security.Azroles.IAzRole.AddMemb IAzRole::AddMemberName
erName
Microsoft.Interop.Security.Azroles.IAzRole.AddOpera IAzRole::AddOperation
tion
Microsoft.Interop.Security.Azroles.IAzRole.AddProper IAzRole::AddProper tyItem

tyItem
Microsoft.Interop.Security.Azroles.IAzRole.AddTask IAzRole::AddTask
Microsoft.Interop.Security.Azroles.IAzRole.DeleteApp IAzRole::DeleteAppMember
Member
Microsoft.Interop.Security.Azroles.IAzRole.DeleteMe IAzRole::DeleteMember
mber
Microsoft.Interop.Security.Azroles.IAzRole.DeleteMe IAzRole::DeleteMemberName
mberName
Microsoft.Interop.Security.Azroles.IAzRole.DeleteOpe IAzRole::DeleteOperation
ration
Microsoft.Interop.Security.Azroles.IAzRole.DeletePro IAzRole::DeleteProper tyItem

per tyItem
Microsoft.Interop.Security.Azroles.IAzRole.DeleteTask IAzRole::DeleteTask
Microsoft.Interop.Security.Azroles.IAzRole.GetProper IAzRole::GetProper ty
ty
Microsoft.Interop.Security.Azroles.IAzRole.SetProper t IAzRole::SetProper ty
y
Microsoft.Interop.Security.Azroles.IAzRole.Submit IAzRole::Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzRole interface has these properties.

.IAzRole.ApplicationData IAzRole
Microsoft.Interop.Security.Azroles Read-only AppMembers Proper ty of IAzRole

.IAzRole.AppMembers
Microsoft.Interop.Security.Azroles Read/write Description Proper ty of IAzRole

.IAzRole.Description
Microsoft.Interop.Security.Azroles Read-only Members Proper ty of IAzRole

.IAzRole.Members

.IAzRole.MembersName IAzRole
Microsoft.Interop.Security.Azroles Read/write Name Proper ty of IAzRole

.IAzRole.Name
Microsoft.Interop.Security.Azroles Read-only Operations Proper ty of IAzRole

.IAzRole.Operations
Microsoft.Interop.Security.Azroles Read-only Tasks Proper ty of IAzRole

.IAzRole.Tasks
Microsoft.Interop.Security.Azroles Read-only Writable Proper ty of IAzRole

.IAzRole.Writable
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzRoleAssignment
interface
The Microsoft.Interop.Security.Azroles.IAzRoleAssignmentAssignment interoperability wrapper

methods and properties are documented under the COM version of the method or property. A link to the
correlating COM documentation follows each member name.
Members
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignment interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignment interface has these methods.
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::AddAppMember
t.AddAppMember
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::AddMember
t.AddMember
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::AddMemberName
t.AddMemberName
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::AddOperation
t.AddOperation
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::AddProper tyItem

t.AddProper tyItem
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRoleAssignment::AddRoleDefinition
t.AddRoleDefinition
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::AddTask
t.AddTask
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::DeleteAppMember
t.DeleteAppMember
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::DeleteMember
t.DeleteMember
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::DeleteMemberName
t.DeleteMemberName
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::DeleteOperation
t.DeleteOperation
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::DeleteProper tyItem

t.DeleteProper tyItem
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRoleAssignment::DeleteRoleDefinition
t.DeleteRoleDefinition
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::DeleteTask
t.DeleteTask
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::GetProper ty
t.GetProper ty
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::SetProper ty
t.SetProper ty
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRole::Submit
t.Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignment interface has these properties.

.IAzRoleAssignmentAssignment.A IAzRole
pplicationData

.IAzRoleAssignmentAssignment.A
ppMembers

.IAzRoleAssignmentAssignment.D
escription

.IAzRoleAssignmentAssignment.M
embers

.IAzRoleAssignmentAssignment.M IAzRole
embersName

.IAzRoleAssignmentAssignment.N
ame

.IAzRoleAssignmentAssignment.O
perations

.IAzRoleAssignmentAssignment.R IAzRoleAssignment
oleDefinitions
Microsoft.Interop.Security.Azroles Read-only Scope Proper ty of

.IAzRoleAssignmentAssignment.Sc IAzRoleAssignment
ope

.IAzRoleAssignmentAssignment.Ta
sks

.IAzRoleAssignmentAssignment.W
ritable
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzRoleAssignments
interface
The Microsoft.Interop.Security.Azroles.IAzRoleAssignments interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignments interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignments interface has these methods.
Microsoft.Interop.Security.Azroles.IAzRoleAssignmen IAzRoleAssignments::_NewEnum
ts.GetEnumerator
Properties
The Microsoft.Interop.Security.AzRoles.IAzRoleAssignments interface has these properties.

.IAzRoleAssignments.Count IAzRoleAssignments

.IAzRoleAssignments.Item IAzRoleAssignments
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzRoleDefinition
interface
The Microsoft.Interop.Security.Azroles.IAzRoleDefinition interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinition interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinition interface has these methods.
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::AddAppMember
AddAppMember
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::AddMember
AddMember
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::AddMemberName
AddMemberName
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::AddOperation
AddOperation
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::AddProper tyItem

AddProper tyItem
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRoleDefinition::AddRoleDefinition
AddRoleDefinition
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::AddTask
AddTask
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::DeleteAppMember
DeleteAppMember
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::DeleteMember
DeleteMember
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::DeleteMemberName
DeleteMemberName
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::DeleteOperation
DeleteOperation
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::DeleteProper tyItem

DeleteProper tyItem
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRoleDefinition::DeleteRoleDefinition
DeleteRoleDefinition
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::DeleteTask
DeleteTask
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::GetProper ty
GetProper ty
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRoleDefinition::RoleAssignments
RoleAssignments
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::SetProper ty
SetProper ty
Microsoft.Interop.Security.Azroles.IAzRoleDefinition. IAzRole::Submit
Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinition interface has these properties.

.IAzRoleDefinition.ApplicationDat IAzRole
a

.IAzRoleDefinition.AppMembers

.IAzRoleDefinition.Description

.IAzRoleDefinition.Members

.IAzRoleDefinition.MembersName IAzRole

.IAzRoleDefinition.Name

.IAzRoleDefinition.Operations

.IAzRoleDefinition.RoleDefinitions IAzRoleDefinition

.IAzRoleDefinition.Tasks

.IAzRoleDefinition.Writable
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzRoleDefinitions
interface
The Microsoft.Interop.Security.Azroles.IAzRoleDefinitions interoperability wrapper methods and

Members
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinitions interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinitions interface has these methods.
Microsoft.Interop.Security.Azroles.IAzRoleDefinitions. IAzRoleDefinitions::_NewEnum
GetEnumerator
Properties
The Microsoft.Interop.Security.AzRoles.IAzRoleDefinitions interface has these properties.

.IAzRoleDefinitions.Count IAzRoleDefinitions

.IAzRoleDefinitions.Count IAzRoleDefinitions
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzRoles
interface
The Microsoft.Interop.Security.Azroles.IAzRoles interoperability wrapper methods and properties are

Members
The Microsoft.Interop.Security.AzRoles.IAzRoles interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzRoles interface has these methods.
Microsoft.Interop.Security.Azroles.IAzRoles.GetEnum IAzRoles::_NewEnum
erator
Properties
The Microsoft.Interop.Security.AzRoles.IAzRoles interface has these properties.
Microsoft.Interop.Security.Azroles Read-only Count Proper ty of IAzRoles

.IAzRoles.Count
Microsoft.Interop.Security.Azroles Read-only Item Proper ty of IAzRoles

.IAzRoles.Item
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzScope
interface
The Microsoft.Interop.Security.Azroles.IAzScope interoperability wrapper methods and properties are

Members
The Microsoft.Interop.Security.AzRoles.IAzScope interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzScope interface has these methods.
Microsoft.Interop.Security.Azroles.IAzScope.AddPolic IAzScope::AddPolicyAdministrator
yAdministrator
Microsoft.Interop.Security.Azroles.IAzScope.AddPolic IAzScope::AddPolicyAdministratorName
yAdministratorName
Microsoft.Interop.Security.Azroles.IAzScope.AddPolic IAzScope::AddPolicyReader
yReader
Microsoft.Interop.Security.Azroles.IAzScope.AddPolic IAzScope::AddPolicyReaderName
yReaderName
Microsoft.Interop.Security.Azroles.IAzScope.AddProp IAzScope::AddProper tyItem

er tyItem
Microsoft.Interop.Security.Azroles.IAzScope.CreateA IAzScope::CreateApplicationGroup
pplicationGroup
Microsoft.Interop.Security.Azroles.IAzScope.CreateRo IAzScope::CreateRole
le
Microsoft.Interop.Security.Azroles.IAzScope.CreateTa IAzScope::CreateTask
sk
Microsoft.Interop.Security.Azroles.IAzScope.DeleteAp IAzScope::DeleteApplicationGroup
plicationGroup
Microsoft.Interop.Security.Azroles.IAzScope.DeletePo IAzScope::DeletePolicyAdministrator
licyAdministrator
Microsoft.Interop.Security.Azroles.IAzScope.DeletePo IAzScope::DeletePolicyAdministratorName
licyAdministratorName
Microsoft.Interop.Security.Azroles.IAzScope.DeletePo IAzScope::DeletePolicyReader
licyReader
Microsoft.Interop.Security.Azroles.IAzScope.DeletePo IAzScope::DeletePolicyReaderName
licyReaderName
Microsoft.Interop.Security.Azroles.IAzScope.DeletePr IAzScope::DeleteProper tyItem

oper tyItem
Microsoft.Interop.Security.Azroles.IAzScope.DeleteRo IAzScope::DeleteRole
le
Microsoft.Interop.Security.Azroles.IAzScope.DeleteTa IAzScope::DeleteTask
sk
Microsoft.Interop.Security.Azroles.IAzScope.GetProp IAzScope::GetProper ty
er ty
Microsoft.Interop.Security.Azroles.IAzScope.OpenAp IAzScope::OpenApplicationGroup
plicationGroup
Microsoft.Interop.Security.Azroles.IAzScope.OpenRol IAzScope::OpenRole
e
Microsoft.Interop.Security.Azroles.IAzScope.OpenTas IAzScope::OpenTask
k
Microsoft.Interop.Security.Azroles.IAzScope.SetPrope IAzScope::SetProper ty
r ty
Microsoft.Interop.Security.Azroles.IAzScope.Submit IAzScope::Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzScope interface has these properties.

.IAzScope.ApplicationData IAzScope

.IAzScope.ApplicationGroups IAzScope
Microsoft.Interop.Security.Azroles Read-only BizrulesWritable Proper ty of

.IAzScope.BizrulesWritable IAzScope
Microsoft.Interop.Security.Azroles Read-only CanBeDelegated Proper ty of

.IAzScope.CanBeDelegated IAzScope
Microsoft.Interop.Security.Azroles Read/write Description Proper ty of IAzScope

.IAzScope.Description
Microsoft.Interop.Security.Azroles Read/write Name Proper ty of IAzScope

.IAzScope.Name

.IAzScope.PolicyAdministrators IAzScope

.IAzScope.PolicyAdministratorsNa Proper ty of IAzScope
me

.IAzScope.PolicyReaders IAzScope

.IAzScope.PolicyReadersName IAzScope
Microsoft.Interop.Security.Azroles Read-only Roles Proper ty of IAzScope

.IAzScope.Roles
Microsoft.Interop.Security.Azroles Read-only Tasks Proper ty of IAzScope

.IAzScope.Tasks
Microsoft.Interop.Security.Azroles Read-only Writable Proper ty of IAzScope

.IAzScope.Writable
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzScope2
interface
The Microsoft.Interop.Security.Azroles.IAzScope2 interoperability wrapper methods and properties are

Members
The Microsoft.Interop.Security.AzRoles.IAzScope2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzScope2 interface has these methods.
Microsoft.Interop.Security.Azroles.IAzScope2.AddPoli IAzScope::AddPolicyAdministrator
cyAdministrator
Microsoft.Interop.Security.Azroles.IAzScope2.AddPoli IAzScope::AddPolicyAdministratorName
cyAdministratorName
Microsoft.Interop.Security.Azroles.IAzScope2.AddPoli IAzScope::AddPolicyReader
cyReader
Microsoft.Interop.Security.Azroles.IAzScope2.AddPoli IAzScope::AddPolicyReaderName
cyReaderName
Microsoft.Interop.Security.Azroles.IAzScope2.AddPro IAzScope::AddProper tyItem

per tyItem
Microsoft.Interop.Security.Azroles.IAzScope2.Create IAzScope::CreateApplicationGroup
ApplicationGroup
Microsoft.Interop.Security.Azroles.IAzScope2.CreateR IAzScope::CreateRole
ole
Microsoft.Interop.Security.Azroles.IAzScope2.CreateR IAzScope2::CreateRoleAssignment
oleAssignment
Microsoft.Interop.Security.Azroles.IAzScope2.CreateR IAzScope2::CreateRoleDefinition
oleDefinition
Microsoft.Interop.Security.Azroles.IAzScope2.CreateT IAzScope::CreateTask
ask
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteA IAzScope::DeleteApplicationGroup
pplicationGroup
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteP IAzScope::DeletePolicyAdministrator
olicyAdministrator
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteP IAzScope::DeletePolicyAdministratorName
olicyAdministratorName
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteP IAzScope::DeletePolicyReader
olicyReader
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteP IAzScope::DeletePolicyReaderName
olicyReaderName
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteP IAzScope::DeleteProper tyItem

roper tyItem
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteR IAzScope::DeleteRole
ole
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteR IAzScope2::DeleteRoleAssignment
oleAssignment
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteR IAzScope2::DeleteRoleDefinition
oleDefinition
Microsoft.Interop.Security.Azroles.IAzScope2.DeleteT IAzScope::DeleteTask
ask
Microsoft.Interop.Security.Azroles.IAzScope2.GetPro IAzScope::GetProper ty
per ty
Microsoft.Interop.Security.Azroles.IAzScope2.OpenA IAzScope::OpenApplicationGroup
pplicationGroup
Microsoft.Interop.Security.Azroles.IAzScope2.OpenRo IAzScope::OpenRole
le
Microsoft.Interop.Security.Azroles.IAzScope2.OpenRo IAzScope2::OpenRoleAssignment
leAssignment
Microsoft.Interop.Security.Azroles.IAzScope2.OpenRo IAzScope2::OpenRoleDefinition
leDefinition
Microsoft.Interop.Security.Azroles.IAzScope2.OpenTa IAzScope::OpenTask
sk
Microsoft.Interop.Security.Azroles.IAzScope2.SetProp IAzScope::SetProper ty
er ty
Microsoft.Interop.Security.Azroles.IAzScope2.Submit IAzScope::Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzScope2 interface has these properties.

.IAzScope2.ApplicationData IAzScope

.IAzScope2.ApplicationGroups IAzScope
Microsoft.Interop.Security.Azroles Read-only BizrulesWritable Proper ty of

.IAzScope2.BizrulesWritable IAzScope
Microsoft.Interop.Security.Azroles Read-only CanBeDelegated Proper ty of

.IAzScope2.CanBeDelegated IAzScope
Microsoft.Interop.Security.Azroles Read/write Description Proper ty of IAzScope

.IAzScope2.Description
Microsoft.Interop.Security.Azroles Read/write Name Proper ty of IAzScope

.IAzScope2.Name

.IAzScope2.PolicyAdministrators IAzScope

.IAzScope2.PolicyAdministratorsN Proper ty of IAzScope
ame

.IAzScope2.PolicyReaders IAzScope

.IAzScope2.PolicyReadersName IAzScope
Microsoft.Interop.Security.Azroles Read-only RoleAssignments Proper ty of

.IAzScope2.RoleAssignments IAzScope2

.IAzScope2.RoleDefinitions IAzScope2
Microsoft.Interop.Security.Azroles Read-only Roles Proper ty of IAzScope

.IAzScope2.Roles
Microsoft.Interop.Security.Azroles Read-only Tasks Proper ty of IAzScope

.IAzScope2.Tasks
Microsoft.Interop.Security.Azroles Read-only Writable Proper ty of IAzScope

.IAzScope2.Writable
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzScopes
interface
The Microsoft.Interop.Security.Azroles.IAzScopes interoperability wrapper methods and properties are

Members
The Microsoft.Interop.Security.AzRoles.IAzScopes interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzScopes interface has these methods.
Microsoft.Interop.Security.Azroles.IAzScopes.GetEnu IAzScopes::_NewEnum
merator
Properties
The Microsoft.Interop.Security.AzRoles.IAzScopes interface has these properties.
Microsoft.Interop.Security.Azroles Read-only Count Proper ty of IAzScopes

.IAzScopes.Count
Microsoft.Interop.Security.Azroles Read-only Item Proper ty of IAzScopes

.IAzScopes.Item
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzTask interface
The Microsoft.Interop.Security.Azroles.IAzTask interoperability wrapper methods and properties are

Members
The Microsoft.Interop.Security.AzRoles.IAzTask interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzTask interface has these methods.
Microsoft.Interop.Security.Azroles.IAzTask .AddOpera IAzTask ::AddOperation

tion
Microsoft.Interop.Security.Azroles.IAzTask .AddProper IAzTask ::AddProper tyItem

tyItem
Microsoft.Interop.Security.Azroles.IAzTask .AddTask IAzTask ::AddTask
Microsoft.Interop.Security.Azroles.IAzTask .DeleteOpe IAzTask ::DeleteOperation

ration
Microsoft.Interop.Security.Azroles.IAzTask .DeletePro IAzTask ::DeleteProper tyItem

per tyItem
Microsoft.Interop.Security.Azroles.IAzTask .DeleteTask IAzTask ::DeleteTask
Microsoft.Interop.Security.Azroles.IAzTask .GetProper IAzTask ::GetProper ty

ty
Microsoft.Interop.Security.Azroles.IAzTask .SetProper IAzTask ::SetProper ty

ty
Microsoft.Interop.Security.Azroles.IAzTask .Submit IAzTask ::Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzTask interface has these properties.

.IAzTask .ApplicationData IAzTask
Microsoft.Interop.Security.Azroles Read/write BizRule Proper ty of IAzTask

.IAzTask .BizRule

.IAzTask .BizRuleImpor tedPath IAzTask

.IAzTask .BizRuleLanguage IAzTask
Microsoft.Interop.Security.Azroles Read/write Description Proper ty of IAzTask

.IAzTask .Description
Microsoft.Interop.Security.Azroles Read/write IsRoleDefinition Proper ty of

.IAzTask .IsRoleDefinition IAzTask
Microsoft.Interop.Security.Azroles Read/write Name Proper ty of IAzTask

.IAzTask .Name
Microsoft.Interop.Security.Azroles Read-only Operations Proper ty of IAzTask

.IAzTask .Operations
Microsoft.Interop.Security.Azroles Read-only Tasks Proper ty of IAzTask

.IAzTask .Tasks
Microsoft.Interop.Security.Azroles Read-only Writable Proper ty of IAzTask

.IAzTask .Writable
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzTask2 interface
The Microsoft.Interop.Security.Azroles.IAzTask2 interoperability wrapper methods and properties are

Members
The Microsoft.Interop.Security.AzRoles.IAzTask2 interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzTask2 interface has these methods.
Microsoft.Interop.Security.Azroles.IAzTask2.AddOper IAzTask ::AddOperation

ation
Microsoft.Interop.Security.Azroles.IAzTask2.AddProp IAzTask ::AddProper tyItem

er tyItem
Microsoft.Interop.Security.Azroles.IAzTask2.AddTask IAzTask ::AddTask
Microsoft.Interop.Security.Azroles.IAzTask2.DeleteOp IAzTask ::DeleteOperation

eration
Microsoft.Interop.Security.Azroles.IAzTask2.DeletePr IAzTask ::DeleteProper tyItem

oper tyItem
Microsoft.Interop.Security.Azroles.IAzTask2.DeleteTas IAzTask ::DeleteTask

k
Microsoft.Interop.Security.Azroles.IAzTask2.GetPrope IAzTask ::GetProper ty

r ty
Microsoft.Interop.Security.Azroles.IAzTask2.RoleAssig IAzTask2::RoleAssignments
nments
Microsoft.Interop.Security.Azroles.IAzTask2.SetPrope IAzTask ::SetProper ty

r ty
Microsoft.Interop.Security.Azroles.IAzTask2.Submit IAzTask ::Submit
Properties
The Microsoft.Interop.Security.AzRoles.IAzTask2 interface has these properties.

.IAzTask2.ApplicationData IAzTask
Microsoft.Interop.Security.Azroles Read/write BizRule Proper ty of IAzTask

.IAzTask2.BizRule

.IAzTask2.BizRuleImpor tedPath IAzTask

.IAzTask2.BizRuleLanguage IAzTask
Microsoft.Interop.Security.Azroles Read/write Description Proper ty of IAzTask

.IAzTask2.Description
Microsoft.Interop.Security.Azroles Read/write IsRoleDefinition Proper ty of

.IAzTask2.IsRoleDefinition IAzTask
Microsoft.Interop.Security.Azroles Read/write Name Proper ty of IAzTask

.IAzTask2.Name
Microsoft.Interop.Security.Azroles Read-only Operations Proper ty of IAzTask

.IAzTask2.Operations
Microsoft.Interop.Security.Azroles Read-only Tasks Proper ty of IAzTask

.IAzTask2.Tasks
Microsoft.Interop.Security.Azroles Read-only Writable Proper ty of IAzTask

.IAzTask2.Writable
Requirements
Assembly
Microsoft.Interop.Security.AzRoles.IAzTasks interface
The Microsoft.Interop.Security.Azroles.IAzTasks interoperability wrapper methods and properties are

Members
The Microsoft.Interop.Security.AzRoles.IAzTasks interface has these types of members:
Methods
Properties
Methods
The Microsoft.Interop.Security.AzRoles.IAzTasks interface has these methods.
Microsoft.Interop.Security.Azroles.IAzTasks.GetEnum IAzTasks::_NewEnum
erator
Properties
The Microsoft.Interop.Security.AzRoles.IAzTasks interface has these properties.
Microsoft.Interop.Security.Azroles Read-only Count Proper ty of IAzTasks

.IAzTasks.Count
Microsoft.Interop.Security.Azroles Read-only Item Proper ty of IAzTasks

.IAzTasks.Item
Requirements
Assembly

Kiến trúc Windows

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kiến trúc Windows

Uploaded by

Copyright:

Available Formats

Contents

About Authorization Key authorization concepts and a high-level view of

Using Authorization Authorization processes, procedures, and examples of

Authorization Reference Detailed information about authorization functions,

The following sections provide information about authorization.

SEC T IO N DESC RIP T IO N

Client/Server Access Control Server applications that provide services to clients.

Mandatory Integrity Control System-level access control for securable objects.

There are two basic parts of the access control model:

AdjustTokenGroups Changes the group information in an access token.

AdjustTokenPrivileges Enables or disables the privileges in an access token. It does

CheckTokenMembership Determines whether a specified SID is enabled in a specified

CreateRestrictedToken Creates a new token that is a restricted version of an existing

DuplicateToken Creates a new impersonation token that duplicates an

DuplicateTokenEx Creates a new primary token or impersonation token that

GetTokenInformation Retrieves information about a token.

IsTokenRestricted Determines whether a token has a list of restricting SIDs.

OpenProcessToken Retrieves a handle to the primary access token for a process.

OpenThreadToken Retrieves a handle to the impersonation access token for a

SetThreadToken Assigns or removes an impersonation token for a thread.

SetTokenInformation Changes a token's owner, primary group, or default DACL.

ST RUC T URE DESC RIP T IO N

TOKEN_CONTROL Information that identifies an access token.

TOKEN_GROUPS Specifies the SIDs and attributes of the group SIDs in an

TOKEN_PRIVILEGES The privileges associated with an access token. Also

TOKEN_SOURCE The source of an access token.

TOKEN_STATISTICS Statistics associated with an access token.

TOKEN_USER The SID of the user associated with an access token.

TOKEN_TYPE Identifies an access token as a primary or impersonation

AT T RIB UT E DESC RIP T IO N

SE_GROUP_USE_FOR_DENY_ONLY A SID with this attribute is a deny-only SID. When the

TOKEN_ADJUST_DEFAULT Required to change the default owner, primary group, or

TOKEN_ADJUST_GROUPS Required to adjust the attributes of the groups in an

TOKEN_ADJUST_PRIVILEGES Required to enable or disable the privileges in an access

TOKEN_ADJUST_SESSIONID Required to adjust the session ID of an access token. The

TOKEN_ASSIGN_PRIMARY Required to attach a primary token to a process. The

TOKEN_DUPLICATE Required to duplicate an access token.

TOKEN_EXECUTE Same as STANDARD_RIGHTS_EXECUTE.

TOKEN_IMPERSONATE Required to attach an impersonation access token to a

TOKEN_QUERY Required to query an access token.

TOKEN_QUERY_SOURCE Required to query the source of an access token.

TOKEN_READ Combines STANDARD_RIGHTS_READ and

TOKEN_WRITE Combines STANDARD_RIGHTS_WRITE,

TOKEN_ALL_ACCESS Combines all possible access rights for a token.

TYPE DESC RIP T IO N

Access-denied ACE Used in a discretionary access control list (DACL) to deny

Access-allowed ACE Used in a DACL to allow access rights to a trustee.

System-audit ACE Used in a system access control list (SACL) to generate an

For a table of object-specific ACEs, see Object-specific ACEs.

GUID DESC RIP T IO N

ObjectType Identifies one of the following:

Three types of object-specific ACEs are supported.

TYPE DESC RIP T IO N

Access-denied object ACE Used in a DACL to deny a trustee access to a property or

Access-allowed object ACE Used in a DACL to allow a trustee access to a property or

System-audit object ACE Used in a SACL to log a trustee's attempts to access a

The SetNamedSecurityInfo and SetSecurityInfo functions support automatic propagation of inheritable

OBJECT_INHERIT_ACE only Noncontainer child objects: Inherited as an effective ACE.

CONTAINER_INHERIT_ACE only Noncontainer child objects: No effect on the child object.

CONTAINER_INHERIT_ACE and OBJECT_INHERIT_ACE Noncontainer child objects: Inherited as an effective ACE.

No inheritance flags set No effect on child container or noncontainer objects.

T RUST EE O B JEC T GUID ACE TYPE A C C ESS RIGH T S

Group A None Access-allowed ACE ADS_RIGHT_DS_READ_PRO