次の方法で共有


3.1.4.9.1 LsarQuerySecurityObject (Opnum 3)

The LsarQuerySecurityObject method is invoked to query security information that is assigned to a database object. It returns the security descriptor of the object.

 NTSTATUS LsarQuerySecurityObject(
   [in] LSAPR_HANDLE ObjectHandle,
   [in] SECURITY_INFORMATION SecurityInformation,
   [out] PLSAPR_SR_SECURITY_DESCRIPTOR* SecurityDescriptor
 );

ObjectHandle: An open object handle of any type.

SecurityInformation: A bitmask specifying which portions of the security descriptor the caller is interested in.

SecurityDescriptor: Used to return the security descriptor containing the elements requested by the caller.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform this operation.

0xC00000BB

STATUS_NOT_SUPPORTED

The request is not supported.

0xC0000008

STATUS_INVALID_HANDLE

ObjectHandle is not a valid handle.

Processing:

This message takes three arguments:

ObjectHandle: Can be an open handle of any type. If the handle is not a valid context handle to an object or ObjectHandle.PolicyType is not one of the following:

The server MUST return STATUS_INVALID_HANDLE. The access required for a successful completion of this request depends on the SecurityInformation parameter. The server MUST verify that ObjectHandle grants access as specified in section 3.1.4.2.2. The following pseudocode specifies the RequiredAccess value to use in this access check.

 Set RequiredAccess equal to 0
 IF ((SecurityInformation & OWNER_SECURITY_INFORMATION) || (SecurityInformation & GROUP_SECURITY_INFORMATION) || (SecurityInformation & DACL_SECURITY_INFORMATION)) THEN
     RequiredAccess |= READ_CONTROL
 END IF
 IF (SecurityInformation & SACL_SECURITY_INFORMATION) THEN
     RequiredAccess |= ACCESS_SYSTEM_SECURITY
 END IF

SecurityInformation: A set of bits specifying which portions of the security descriptor the caller is interested in retrieving. The various bits and the associated access rights are specified in section 2.2.1.3.

SecurityDescriptor: An output parameter. If access checks pass, the server MUST fill this information with a valid self-relative security descriptor containing only the fields requested by the caller. The server MUST NOT put information into the security descriptor that the caller did not request.

It is valid for the server to not support this method for all object types. If an object does not support this method, the server MUST return STATUS_NOT_SUPPORTED.<112>