2.1.4.14 AccessCheck -- Algorithm to Perform a General Access Check

The inputs for this algorithm are:

• SecurityContext: The SecurityContext of the user requesting access.

• SecurityDescriptor: The security descriptor of the object to which access is requested, in the format specified in [MS-DTYP] section 2.4.6.

• DesiredAccess: An ACCESS_MASK indicating type of access requested, as specified in [MS-DTYP] section 2.4.3.

This algorithm returns a Boolean value:

• TRUE if the user has the necessary access to the object.

• FALSE otherwise.

Pseudocode for the algorithm is as follows:

• The object store MUST build a new Token object, in the format specified in [MS-DTYP] section 2.5.2, with fields initialized as follows:

  • Sids set to SecurityContext.SIDs.

  • OwnerIndex set to SecurityContext.OwnerIndex.

  • PrimaryGroup set to SecurityContext.PrimaryGroup.

  • DefaultDACL set to SecurityContext.DefaultDACL.

  • Privileges set to SecurityContext.PrivilegeSet in locally unique identifier (LUID) form, as specified in [MS-LSAD] section 3.1.1.2.1.

• The object store MUST use the access check algorithm described in [MS-DTYP] section 2.5.3.2, with input values as follows:

  • SecurityDescriptor set to the SecurityDescriptor above.

  • Token set to Token.

  • Access Request mask set to DesiredAccess.

  • Object Tree set to NULL.

  • PrincipalSelfSubst set to NULL.

• If the access check returns success, return TRUE; otherwise return FALSE.