INFO: Determining the Maximum Allowed Access for an Object (115945)

SUMMARY

The AccessCheck() API call can be used to determine the maximum access to an object allowed for a subject. (In this article, a subject means a program running in a specific user's security context.) When using AccessCheck() for this purpose, perform the following steps:

Obtain a security descriptor that has owner, group, and DACL information.
If you are not impersonating a client, obtain an impersonation token by calling ImpersonateSelf. This token is passed as the client token in the AccessCheck() call.
Create a generic mapping structure. The contents of this structure will vary depending on the object being used.
Call AccessCheck() and request "MAXIMUM_ALLOWED" as the desired access.

If the AccessCheck() call succeeds after the above steps have been completed, the dwGrantedAccess parameter to AccessCheck() contains a mask of the object-specific rights that are granted by the security descriptor.

MORE INFORMATION

In most situations, you should not use this method of access determination. If you need access to an object to perform a task, simply try to open the object using the required access.

The AccessCheck() API is mainly intended for use with private objects created by an application. However, it can be used with predefined objects. The generic mapping values and specific rights for many of the predefined objects (files and so forth) may be found in WINNT.H.

INFO: Determining the Maximum Allowed Access for an Object (115945)

SUMMARY

MORE INFORMATION

REFERENCES