Share via


HasMask Method (Entity Object)

Topic Last Modified: 2006-06-13

Determines if an entity object has specific rights to an item.

Applies To

Entity Object

Syntax


bool  objEntity.HasMask(masks);

Parameters

  • masks
    A string value of bitmasks to compare with the entity object s masks.

Return Value

Returns TRUE if the masks for an entity object have the permissions specified by the masks parameter.

Remarks

Masks in the Exchange Application Security Module have three parts: item mask, subcontainer mask, and subitem mask, and are specified from left to right. Each mask has an allow and deny bit. These bits pertain to a specific permission, such as read and write permissions.

Consider the masks in an entity object for a particular user:

[0x1, 0x2, 0x1, 0x2, 0x0, 0x0]

The following table describes the allow and deny bits for this user s masks:

User: Item Mask User: Subcontainer Mask User: Subitem Mask

Allow: 0x1 Deny: 0x2

Allow: 0x1 Deny: 0x2

Allow: 0x0 Deny: 0x0

The binary evaluations for item and subcontainer masks are the same. The allow bit is 00000001 or 0x1, and the deny bit is 00000010 or 0x2.

Note that both allow and deny bits for the subitem mask are zeros which means that no check of those permissions is necessary.

Next, compare the user s masks with masks that specify read permissions, TestRead, and masks that specify write permissions, TestWrite.

TestRead [0x1, 0x1, 0x1, 0x1, 0x0, 0x0]

TestWrite [0x2, 0x2, 0x2, 0x2, 0x0, 0x0]

The following table shows binary bitwise comparisons of the user s masks with the TestRead and TestWrite masks for an item. For simplicity, the masks for subcontainers and subitems are not described in this detail.

Allow Bit for Item Deny Bit for Item Results

User: 00000001 TestRead: 00000001

User: 00000010 TestRead: 00000001

The allow bits match, thus the user has read permission for the item. The deny bits do not match, thus the user is not denied read rights.

User: 00000001 TestWrite: 00000010

User: 00000010 TestWrite: 00000010

The allow bits do not match, thus the user is not allowed write permission for the item. The deny bits do match, thus the user is denied write permission for the item.

These comparisons can be expressed programmatically as follows, where e is an entity object.

e.HasMask(TestRead) has one match, so this method returns TRUE.

e.HasMask(TestWrite) has no matches, so this method returns FALSE.

Note

All allow bits are evaluated first, then the deny bits are evaluated.

Example

var e = objDacl.SearchForObjectByNT4Name("MyDomain\\User1");
var m = new Array(0x0080, 0x0080, 0x0080, 0x0080, 0x0000, 0x0000);
if(e.HasMask(m)) {
    // User has that right.
}