تحرير

مشاركة عبر

Authorization Functions (Authorization)

  • مقالة

The following functions are used with authorization applications.

In this section

Topic Description
AccessCheck
 Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token.
AccessCheckAndAuditAlarm
 Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread.
AccessCheckByType
 Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token.
AccessCheckByTypeAndAuditAlarm
 Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread.
AccessCheckByTypeResultList
 Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token.
DeriveCapabilitySidsFromName
 This function constructs two arrays of SIDs out of a capability name. One is an array group SID with NT Authority, and the other is an array of capability SIDs with AppAuthority.
AccessCheckByTypeResultListAndAuditAlarm
 Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread.
AccessCheckByTypeResultListAndAuditAlarmByHandle
 Determines whether a security descriptor grants a specified set of access rights to the client that the calling thread is impersonating.
AddAccessAllowedAce
 Adds an access-allowed access control entry (ACE) to an access control list (ACL). The access is granted to a specified security identifier (SID).
AddAccessAllowedAceEx
 Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL).
AddAccessAllowedObjectAce
 Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL).
AddAccessDeniedAce
 Adds an access-denied access control entry (ACE) to an access control list (ACL). The access is denied to a specified security identifier (SID).
AddAccessDeniedAceEx
 Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL).
AddAccessDeniedObjectAce
 Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL). The new ACE can deny access to an object, or to a property set or property on an object.
AddAce
 Adds one or more access control entries (ACEs) to a specified access control list (ACL).
AddAuditAccessAce
 Adds a system-audit access control entry (ACE) to a system access control list (ACL). The access of a specified security identifier (SID) is audited.
AddAuditAccessAceEx
 Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL).
AddAuditAccessObjectAce
 Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL).
AddConditionalAce
 Adds a conditional access control entry (ACE) to the specified access control list (ACL).
AddMandatoryAce
 Adds a SYSTEM_MANDATORY_LABEL_ACE access control entry (ACE) to the specified system access control list (SACL).
AddResourceAttributeAce
 Adds a SYSTEM_RESOURCE_ATTRIBUTE_ACEaccess control entry (ACE) to the end of a system access control list (SACL).
AddScopedPolicyIDAce
 Adds a SYSTEM_SCOPED_POLICY_ID_ACEaccess control entry (ACE) to the end of a system access control list (SACL).
AdjustTokenGroups
 Enables or disables groups already present in the specified access token. Access to TOKEN_ADJUST_GROUPS is required to enable or disable groups in an access token.
AdjustTokenPrivileges
 Enables or disables privileges in the specified access token. Enabling or disabling privileges in an access token requires TOKEN_ADJUST_PRIVILEGES access.
AllocateAndInitializeSid
 Allocates and initializes a security identifier (SID) with up to eight subauthorities.
AllocateLocallyUniqueId
 Allocates a locally unique identifier (LUID).
AreAllAccessesGranted
 Checks whether a set of requested access rights has been granted. The access rights are represented as bit flags in an access mask.
AreAnyAccessesGranted
 Tests whether any of a set of requested access rights has been granted. The access rights are represented as bit flags in an access mask.
AuditComputeEffectivePolicyBySid
 Computes the effective audit policy for one or more subcategories for the specified security principal. The function computes effective audit policy by combining system audit policy with per-user policy.
AuditComputeEffectivePolicyByToken
 Computes the effective audit policy for one or more subcategories for the security principal associated with the specified token. The function computes effective audit policy by combining system audit policy with per-user policy.
AuditEnumerateCategories
 Enumerates the available audit-policy categories.
AuditEnumeratePerUserPolicy
 Enumerates users for whom per-user auditing policy is specified.
AuditEnumerateSubCategories
 Enumerates the available audit-policy subcategories.
AuditFree
 Frees the memory allocated by audit functions for the specified buffer.
AuditLookupCategoryGuidFromCategoryId
 Retrieves a GUID structure that represents the specified audit-policy category.
AuditLookupCategoryIdFromCategoryGuid
 Retrieves an element of the POLICY_AUDIT_EVENT_TYPE enumeration that represents the specified audit-policy category.
AuditLookupCategoryName
 Retrieves the display name of the specified audit-policy category.
AuditLookupSubCategoryName
 Retrieves the display name of the specified audit-policy subcategory.
AuditQueryGlobalSacl
 retrieves a global system access control list (SACL) that delegates access to the audit messages.
AuditQueryPerUserPolicy
 Retrieves per-user audit policy in one or more audit-policy subcategories for the specified principal.
AuditQuerySecurity
 Retrieves security descriptor that delegates access to audit policy.
AuditQuerySystemPolicy
 Retrieves system audit policy for one or more audit-policy subcategories.
AuditSetGlobalSacl
 sets a global system access control list (SACL) that delegates access to the audit messages.
AuditSetPerUserPolicy
 Sets per-user audit policy in one or more audit subcategories for the specified principal.
AuditSetSecurity
 Sets a security descriptor that delegates access to audit policy.
AuditSetSystemPolicy
 Sets system audit policy for one or more audit-policy subcategories.
AuthzAccessCheck
 Determines which access bits can be granted to a client for a given set of security descriptors.
AuthzAccessCheckCallback
 An application-defined function that handles callback access control entries (ACEs) during an access check. AuthzAccessCheckCallback is a placeholder for the application-defined function name. The application registers this callback by calling AuthzInitializeResourceManager.
AuthzAddSidsToContext
 Creates a copy of an existing context and appends a given set of security identifiers (SIDs) and restricted SIDs.
AuthzCachedAccessCheck
 Performs a fast access check based on a cached handle containing the static granted bits from a previous AuthzAccessCheck call.
AuthzComputeGroupsCallback
 An application-defined function that creates a list of security identifiers (SIDs) that apply to a client. AuthzComputeGroupsCallback is a placeholder for the application-defined function name.
AuthzEnumerateSecurityEventSources
 Retrieves the registered security event sources that are not installed by default.
AuthzFreeAuditEvent
 Frees the structure allocated by the AuthzInitializeObjectAccessAuditEvent function.
AuthzFreeCentralAccessPolicyCache
 Decreases the CAP cache reference count by one so that the CAP cache can be deallocated.
AuthzFreeCentralAccessPolicyCallback
 The AuthzFreeCentralAccessPolicyCallback function is an application-defined function that frees memory allocated by the AuthzGetCentralAccessPolicyCallback function. AuthzFreeCentralAccessPolicyCallback is a placeholder for the application-defined function name.
AuthzFreeContext
 Frees all structures and memory associated with the client context. The list of handles for a client is freed in this call.
AuthzFreeGroupsCallback
 An application-defined function that frees memory allocated by the AuthzComputeGroupsCallback function. AuthzFreeGroupsCallback is a placeholder for the application-defined function name.
AuthzFreeHandle
 Finds and deletes a handle from the handle list.
AuthzFreeResourceManager
 Frees a resource manager object.
AuthzGetCentralAccessPolicyCallback
 The AuthzGetCentralAccessPolicyCallback function is an application-defined function that retrieves the central access policy. AuthzGetCentralAccessPolicyCallback is a placeholder for the application-defined function name.
AuthzGetInformationFromContext
 Returns information about an Authz context.
AuthzInitializeCompoundContext
 creates a user-mode context from the given user and device security contexts.
AuthzInitializeContextFromAuthzContext
 Creates a new client context based on an existing client context.
AuthzInitializeContextFromSid
 Creates a user-mode client context from a user security identifier (SID).
AuthzInitializeContextFromToken
 Initializes a client authorization context from a kernel token. The kernel token must have been opened for TOKEN_QUERY.
AuthzInitializeObjectAccessAuditEvent
 Initializes auditing for an object.
AuthzInitializeObjectAccessAuditEvent2
 Allocates and initializes an AUTHZ_AUDIT_EVENT_HANDLE handle for use with the AuthzAccessCheck function.
AuthzInitializeRemoteResourceManager
 Allocates and initializes a remote resource manager. The caller can use the resulting handle to make RPC calls to a remote instance of the resource manager configured on a server.
AuthzInitializeResourceManager
 Uses Authz to verify that clients have access to various resources.
AuthzInitializeResourceManagerEx
 Allocates and initializes a resource manager structure.
AuthzInstallSecurityEventSource
 Installs the specified source as a security event source.
AuthzModifyClaims
 Adds, deletes, or modifies user and device claims in the Authz client context.
AuthzModifySecurityAttributes
 Modifies the security attribute information in the specified client context.
AuthzModifySids
 Adds, deletes, or modifies user and device groups in the Authz client context.
AuthzOpenObjectAudit
 Reads the system access control list (SACL) of the specified security descriptor and generates any appropriate audits specified by that SACL.
AuthzRegisterCapChangeNotification
 Registers a CAP update notification callback.
AuthzRegisterSecurityEventSource
 Registers a security event source with the Local Security Authority (LSA).
AuthzReportSecurityEvent
 Generates a security audit for a registered security event source.
AuthzReportSecurityEventFromParams
 Generates a security audit for a registered security event source by using the specified array of audit parameters.
AuthzSetAppContainerInformation
 Sets the app container and capability information in a current Authz context.
AuthzUninstallSecurityEventSource
 Removes the specified source from the list of valid security event sources.
AuthzUnregisterCapChangeNotification
 Removes a previously registered CAP update notification callback.
AuthzUnregisterSecurityEventSource
 Unregisters a security event source with the Local Security Authority (LSA).
BuildExplicitAccessWithName
 Initializes an EXPLICIT_ACCESS structure with data specified by the caller. The trustee is identified by a name string.
BuildImpersonateExplicitAccessWithName
 The BuildImpersonateExplicitAccessWithName function is not supported.
BuildImpersonateTrustee
 The BuildImpersonateTrustee function is not supported.
BuildSecurityDescriptor
 Allocates and initializes a new security descriptor.
BuildTrusteeWithName
 Initializes a TRUSTEE structure. The caller specifies the trustee name. The function sets other members of the structure to default values.
BuildTrusteeWithObjectsAndName
 Initializes a TRUSTEE structure with the object-specific access control entry (ACE) information and initializes the remaining members of the structure to default values. The caller also specifies the name of the trustee.
BuildTrusteeWithObjectsAndSid
 Initializes a TRUSTEE structure with the object-specific access control entry (ACE) information and initializes the remaining members of the structure to default values. The caller also specifies the SID structure that represents the security identifier of the trustee.
BuildTrusteeWithSid
 Initializes a TRUSTEE structure. The caller specifies the security identifier (SID) of the trustee. The function sets other members of the structure to default values and does not look up the name associated with the SID.
CheckTokenCapability
 Checks the capabilities of a given token.
CheckTokenMembership
 Determines whether a specified security identifier (SID) is enabled in an access token.
CheckTokenMembershipEx
 Determines whether the specified SID is enabled in the specified token.
ConvertSecurityDescriptorToStringSecurityDescriptor
 Converts a security descriptor to a string format. You can use the string format to store or transmit the security descriptor.
ConvertSidToStringSid
 Converts a security identifier (SID) to a string format suitable for display, storage, or transmission.
ConvertStringSecurityDescriptorToSecurityDescriptor
 Converts a string-format security descriptor into a valid, functional security descriptor.
ConvertStringSidToSid
 Converts a string-format security identifier (SID) into a valid, functional SID. You can use this function to retrieve a SID that the ConvertSidToStringSid function converted to string format.
ConvertToAutoInheritPrivateObjectSecurity
 Converts a security descriptor and its access control lists (ACLs) to a format that supports automatic propagation of inheritable access control entries (ACEs).
CopySid
 Copies a security identifier (SID) to a buffer.
CreatePrivateObjectSecurity
 Allocates and initializes a self-relative security descriptor for a new private object. A protected server calls this function when it creates a new private object.
CreatePrivateObjectSecurityEx
 Allocates and initializes a self-relative security descriptor for a new private object created by the resource manager calling this function.
CreatePrivateObjectSecurityWithMultipleInheritance
 Allocates and initializes a self-relative security descriptor for a new private object created by the resource manager calling this function.
CreateRestrictedToken
 Creates a new access token that is a restricted version of an existing access token. The restricted token can have disabled security identifiers (SIDs), deleted privileges, and a list of restricting SIDs.
CreateSecurityPage
 Creates a basic security property page that enables the user to view and edit the access rights allowed or denied by the access control entries (ACEs) in an object's discretionary access control list (DACL).
CreateWellKnownSid
 Creates a SID for predefined aliases.
DeleteAce
 Deletes an access control entry (ACE) from an access control list (ACL).
DestroyPrivateObjectSecurity
 Deletes a private object's security descriptor.
DSCreateSecurityPage
 Creates a security property page for an Active Directory object.
DSCreateISecurityInfoObject
 Creates an instance of the ISecurityInformation interface associated with the specified directory service (DS) object.
DSCreateISecurityInfoObjectEx
 Creates an instance of the ISecurityInformation interface associated with the specified directory service (DS) object on the specified server.
DSEditSecurity
 Displays a modal dialog box for editing security on a Directory Services (DS) object.
DuplicateToken
 Creates a new access token that duplicates one already in existence.
DuplicateTokenEx
 Creates a new access token that duplicates an existing token. This function can create either a primary token or an impersonation token.
EditSecurity
 Displays a property sheet that contains a basic security property page. This property page enables the user to view and edit the access rights allowed or denied by the ACEs in an object's DACL.
EditSecurityAdvanced
 Extends the EditSecurity function to include the security page type when displaying the property sheet that contains a basic security property page.
EqualDomainSid
 Determines whether two SIDs are from the same domain.
EqualPrefixSid
 Tests two security-identifier (SID) prefix values for equality. A SID prefix is the entire SID except for the last subauthority value.
EqualSid
 Tests two security identifier (SID) values for equality. Two SIDs must match exactly to be considered equal.
FindFirstFreeAce
 Retrieves a pointer to the first free byte in an access control list (ACL).
FreeInheritedFromArray
 Frees memory allocated by the GetInheritanceSource function.
FreeSid
 Frees a security identifier (SID) previously allocated by using the AllocateAndInitializeSid function.
GetAce
 Obtains a pointer to an access control entry (ACE) in an access control list (ACL).
GetAclInformation
 Retrieves information about an access control list (ACL).
GetAppContainerNamedObjectPath
 Retrieves the named object path for the app container.
GetAuditedPermissionsFromAcl
 Retrieves the audited access rights for a specified trustee.
GetCurrentProcessToken
 Retrieves a pseudo-handle that you can use as a shorthand way to refer to the access token associated with a process.
GetCurrentThreadEffectiveToken
 Retrieves a pseudo-handle that you can use as a shorthand way to refer to the token that is currently in effect for the thread, which is the thread token if one exists and the process token otherwise.
GetCurrentThreadToken
 Retrieves a pseudo-handle that you can use as a shorthand way to refer to the impersonation token that was assigned to the current thread.
GetEffectiveRightsFromAcl
 Retrieves the effective access rights that an ACL structure grants to a specified trustee. The trustee's effective access rights are the access rights that the ACL grants to the trustee or to any groups of which the trustee is a member.
GetExplicitEntriesFromAcl
 Retrieves an array of structures that describe the access control entries (ACEs) in an access control list (ACL).
GetFileSecurity
 Obtains specified information about the security of a file or directory. The information obtained is constrained by the caller's access rights and privileges.
GetInheritanceSource
 Returns information about the source of inherited access control entries (ACEs) in an access control list (ACL).
GetKernelObjectSecurity
 Retrieves a copy of the security descriptor that protects a kernel object.
GetLengthSid
 Returns the length, in bytes, of a valid security identifier (SID).
GetMultipleTrustee
 The GetMultipleTrustee function is not supported.
GetMultipleTrusteeOperation
 The GetMultipleTrusteeOperation function is not supported.
GetNamedSecurityInfo
 Retrieves a copy of the security descriptor for an object specified by name.
GetPrivateObjectSecurity
 Retrieves information from a private object's security descriptor.
GetSecurityDescriptorControl
 Retrieves a security descriptor control and revision information.
GetSecurityDescriptorDacl
 Retrieves a pointer to the discretionary access control list (DACL) in a specified security descriptor.
GetSecurityDescriptorGroup
 Retrieves the primary group information from a security descriptor.
GetSecurityDescriptorLength
 Returns the length, in bytes, of a structurally valid security descriptor. The length includes the length of all associated structures.
GetSecurityDescriptorOwner
 Retrieves the owner information from a security descriptor.
GetSecurityDescriptorRMControl
 Retrieves the resource manager control bits.
GetSecurityDescriptorSacl
 Retrieves a pointer to the system access control list (SACL) in a specified security descriptor.
GetSecurityInfo
 Retrieves a copy of the security descriptor for an object specified by a handle.
GetSidIdentifierAuthority
 Returns a pointer to the SID_IDENTIFIER_AUTHORITY structure in a specified security identifier (SID).
GetSidLengthRequired
 Returns the length, in bytes, of the buffer required to store a SID with a specified number of subauthorities.
GetSidSubAuthority
 Returns a pointer to a specified subauthority in a security identifier (SID). The subauthority value is a relative identifier (RID).
GetSidSubAuthorityCount
 Returns a pointer to the member in a security identifier (SID) structure that contains the subauthority count.
GetTenantRestrictionsHostnames Returns a list of hostnames (e.g. foo.com) and subdomainSupportedHostnames (e.g. .bar.com) to the caller to apply Tenant Restrictions to those endpoints.
GetTokenInformation
 Retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.
GetTrusteeForm
 Retrieves the trustee name from the specified TRUSTEE structure. This value indicates whether the structure uses a name string or a security identifier (SID) to identify the trustee.
GetTrusteeName
 Retrieves the trustee name from the specified TRUSTEE structure.
GetTrusteeType
 Retrieves the trustee type from the specified TRUSTEE structure. This value indicates whether the trustee is a user, a group, or the trustee type is unknown.
GetUserObjectSecurity
 Retrieves security information for the specified user object.
GetWindowsAccountDomainSid
 Receives a security identifier (SID) and returns a SID representing the domain of that SID.
ImpersonateAnonymousToken
 Enables the specified thread to impersonate the system's anonymous logon token.
ImpersonateLoggedOnUser
 Lets the calling thread impersonate the security context of a logged-on user. The user is represented by a token handle.
ImpersonateNamedPipeClient
 Impersonates a named-pipe client application.
ImpersonateSelf
 Obtains an access token that impersonates the security context of the calling process. The token is assigned to the calling thread.
InitializeAcl
 Initializes a new ACL structure.
InitializeSecurityDescriptor
 Initializes a new security descriptor.
InitializeSid
 Initializes a security identifier (SID).
IsTokenRestricted
 Indicates whether a token contains a list of restricted security identifiers (SIDs).
IsValidAcl
 Validates an access control list (ACL).
IsValidSecurityDescriptor
 Determines whether the components of a security descriptor are valid.
IsValidSid
 Validates a security identifier (SID) by verifying that the revision number is within a known range, and that the number of subauthorities is less than the maximum.
IsWellKnownSid
 Compares a SID to a well-known SID and returns TRUE if they match.
LookupAccountName
 Accepts the name of a system and an account as input. It retrieves a security identifier (SID) for the account and the name of the domain on which the account was found.
LookupAccountSid
 Accepts a security identifier (SID) as input. It retrieves the name of the account for this SID and the name of the first domain on which this SID is found.
LookupAccountSidLocal
 Retrieves the name of the account for the specified SID on the local machine.
LookupPrivilegeDisplayName
 Retrieves the display name that represents a specified privilege.
LookupPrivilegeName
 Retrieves the name that corresponds to the privilege represented on a specific system by a specified locally unique identifier (LUID).
LookupPrivilegeValue
 Retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name.
LookupSecurityDescriptorParts
 Retrieves security information from a self-relative security descriptor.
MakeAbsoluteSD
 Creates a security descriptor in absolute format by using a security descriptor in self-relative format as a template.
MakeSelfRelativeSD
 Creates a security descriptor in self-relative format by using a security descriptor in absolute format as a template.
MapGenericMask
 Maps the generic access rights in an access mask to specific and standard access rights. The function applies a mapping supplied in a GENERIC_MAPPING structure.
NtCompareTokens
 Compares two access tokens and determines whether they are equivalent with respect to a call to the AccessCheck function.
NtCreateLowBoxToken Creates a lowbox token object based on an existing access token.
ObjectCloseAuditAlarm
 Generates an audit message in the security event log when a handle to a private object is deleted.
ObjectDeleteAuditAlarm
 Generates audit messages when an object is deleted.
ObjectOpenAuditAlarm
 Generates audit messages when a client application attempts to gain access to an object or to create a new one.
ObjectPrivilegeAuditAlarm
 Generates an audit message in the security event log.
OpenProcessToken
 Opens the access token associated with a process.
OpenThreadToken
 Opens the access token associated with a thread.
PrivilegeCheck
 Determines whether a specified set of privileges are enabled in an access token.
PrivilegedServiceAuditAlarm
 Generates an audit message in the security event log.
QuerySecurityAccessMask
 Creates an access mask that represents the access permissions necessary to query the specified object security information.
QueryServiceObjectSecurity
 Retrieves a copy of the security descriptor associated with a service object.
RegGetKeySecurity
 Retrieves a copy of the security descriptor protecting the specified open registry key.
RegSetKeySecurity
 Sets the security of an open registry key.
RevertToSelf
 Terminates the impersonation of a client application.
RtlConvertSidToUnicodeString
 Converts a security identifier (SID) to its Unicode character representation.
SetAclInformation
 Sets information about an access control list (ACL).
SetEntriesInAcl
 Creates a new access control list (ACL) by merging new access control or audit control information into an existing ACL structure.
SetFileSecurity
 Sets the security of a file or directory object.
SetKernelObjectSecurity
 Sets the security of a kernel object.
SetNamedSecurityInfo
 Sets specified security information in the security descriptor of a specified object.
SetPrivateObjectSecurity
 Modifies a private object's security descriptor.
SetPrivateObjectSecurityEx
 Modifies the security descriptor of a private object maintained by the resource manager calling this function.
SetSecurityAccessMask
 Creates an access mask that represents the access permissions necessary to set the specified object security information.
SetSecurityDescriptorControl
 Sets the control bits of a security descriptor. The function can set only the control bits that relate to automatic inheritance of ACEs.
SetSecurityDescriptorDacl
 Sets information in a discretionary access control list (DACL). If a DACL is already present in the security descriptor, the DACL is replaced.
SetSecurityDescriptorGroup
 Sets the primary group information of an absolute-format security descriptor, replacing any primary group information already present in the security descriptor.
SetSecurityDescriptorOwner
 Sets the owner information of an absolute-format security descriptor. It replaces any owner information already present in the security descriptor.
SetSecurityDescriptorRMControl
 Sets the resource manager control bits in the SECURITY_DESCRIPTOR structure.
SetSecurityDescriptorSacl
 Sets information in a system access control list (SACL). If there is already a SACL present in the security descriptor, it is replaced.
SetSecurityInfo
 Sets specified security information in the security descriptor of a specified object. The caller identifies the object by a handle.
SetServiceObjectSecurity
 Sets the security descriptor of a service object.
SetThreadToken
 Assigns an impersonation token to a thread. The function can also cause a thread to stop using an impersonation token.
SetTokenInformation
 Sets various types of information for a specified access token.
SetUserObjectSecurity
 Sets the security of a user object. This can be, for example, a window or a DDE conversation.
TreeResetNamedSecurityInfo
 Resets specified security information in the security descriptor of a specified tree of objects.
TreeSetNamedSecurityInfo
 Sets specified security information in the security descriptor of a specified tree of objects.

Authorization functions are categorized according to usage as follows.

Basic Access Control Functions

The following functions are used with access tokens.

Access Control Editor Functions

The following functions are used with the access control editor.

Client/Server Access Control Functions

The following functions are used by servers to impersonate clients.

Low-level Access Control Functions

The following low-level functions are used to manipulate security descriptors.

Audit Policy Functions