Re: Different security ObjectTypes, and the "Full Control" right

From: Hao Zhuang [MSFT] (hzhuang_at_online.microsoft.com)
Date: 09/01/04 

Date: Wed, 1 Sep 2004 00:46:11 -0700

dont quite understand what you asked for. but ISecurityInformation is merely
an interface used by the "Security" property GUI to show/edit the security
descriptor, such as the GUI you see when right click a file/folder and
choose "Properties" and then select the "Security" tab.

the GUI will call your ISI.GetAccessRights to get the mapping from an access
bit to it's string name. so if the following is an element in the array you
returned, GUI will display "Read Data" if your ACE (returned to GUI in the
GetSecurity call) has FILE_READ_DATA bit set.

  { GUID_NULL, FILE_READ_DATA, L"Read Data", SI_ACCESS_GENERAL |
SI_ACCESS_SPECIFIC }

if the mapping of access bits to string names doesnt depend on the
ObjectType, you can simply ignore that parameter passed in GetAccessRights.
otherwise you need to create different mapping tables when GUI askes for
different ObjectTypes.

hope this helps.

- hao 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"Ian Boyd" <admin@SWIFTPA.NET> wrote in message
news:#YRnF6djEHA.384@TK2MSFTNGP10.phx.gbl...
> i'm implemneting ISecurityInformation. i want to have two different
security
> object types apply to one securable object (sid). So i return two object
> types from ISecurityInformation.
>
> But when now when i implement ISecurityInformation.GetAccessRights, i can
> only add the rights for one object type. That means that if i want to have
a
> "Full Control" right, i have to implement it in one ObjectType or the
other.
>
> That means that granting "Full Control" in one ObjectType will not be able
> to grant rights in the other ObjectType.
>
> That would mean that if i want a "Full Control" right to be able to grant
> everything, i have to cram all my rights into one ObjectType; killing the
> value of ObjectTypes in the first place. And if i have more than 16
specific
> rights, i cannot do it at all.
>
>
> Is there a way for a right in one ObjectType to enable bits in another
> object type? Or am i just screwed.
>
>
> i hate these technical platform sdk questions, they never get answered.
>
>
>
http://groups.google.com/groups?q=ian+boyd+platformsdk+security&hl=en&lr=lang_en&ie=UTF-8&safe=off&scoring=d&selm=uBCvbOJmCHA.1244%40tkmsftngp02&rnum=6
>
>
http://groups.google.com/groups?q=%22ian+boyd%22+%22access+control%22&hl=en&lr=lang_en&ie=UTF-8&safe=off&scoring=d&selm=OnkTw3iWEHA.1756%40TK2MSFTNGP12.phx.gbl&rnum=2
>
>
Quantcast