Share via

3.1.4.2.13 ICertAdminD2::SetOfficerRights (Opnum 43)

  • Article

The SetOfficerRights method is used to set Officer rights or Enrollment Agent rights. Information on role separation is specified in [CIMC-PP].

 HRESULT SetOfficerRights(
   [in, string, unique] wchar_t const* pwszAuthority,
   [in] BOOL fEnable,
   [in, ref] CERTTRANSBLOB* pctbSD
 );

pwszAuthority:  See the pwszAuthority definition in section 3.1.4.1.1.

fEnable: A 32-bit BOOL parameter composed of two 16-bit fields. Each of these fields can be set to zero or to a nonzero value as follows.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

F

F

F

F

F

F

F

F

F

F

F

F

F

F

F

F

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

F - fRightsEnable: If bits 0 through 15 are 0, then disable access rights (officer or enrollment agent) and ignore the value of pctbSD.

R - RightsType: If bits 16 through 31 are 0, then the security descriptor in the pctbSD parameter is for officer rights.

If bits 16 through 31 are nonzero, the security descriptor in the pctbSD is for the enrollment agents.

pctbSD: A pointer to the CERTTRANSBLOB structure that holds the marshaled security descriptor, as specified in [MS-DTYP] section 2.4.6.

The following processing rules apply:

  1. If fRightsEnable is 0 and RightsType is 0, the server MUST disable Officer access rights (Config_Permissions_Officer_Rights) and ignore the value of pctbSD.

  2. If fRightsEnable is 0 and RightsType is nonzero, the server MUST disable Enrollment Agent access rights (Config_Permissions_Enrollment_Agent_Rights) and ignore the value of pctbSD.

  3. If fRightsEnable is nonzero and RightsType is 0, the server MUST set the security descriptor specified in pctbSD as officer access rights.

  4. If fRightsEnable is nonzero and RightsType is nonzero, the server MUST set the security descriptor specified in pctbSD as enrollment agent access rights.