Re: Different security ObjectTypes, and the "Full Control" right

From: Ian Boyd (admin_at_SWIFTPA.NET)
Date: 09/02/04

Date: Wed, 1 Sep 2004 21:51:23 -0400

> the GUI will call your ISI.GetAccessRights to get the mapping from an
> access
> bit to it's string name. so if the following is an element in the array
> you
> returned, GUI will display "Read Data" if your ACE (returned to GUI in the
> GetSecurity call) has FILE_READ_DATA bit set.

But the "Full Control" right is not a single bit. It has an access mask that
indicates which
bits correspond to "Full Control" being granted.

But the AccessMask associated with "Full Control" only applied to the
default object type.

If i have an object where the default ObjectType (File&Folder) as well as my
own custom
object type applies, then if the user tries to grant "Full Control", that
will only set bits
based on the "Full Control" right's AccessMask, which only applies to the
object type.

It does not apply to my custom object type.

So if i have a custom object type, with a right called (e.g.) "Manage
Printer", the user
setting "Full Control" for the "File&Folder" default object type, will not
grant "Manage Printer" in my own custom object type.

Just like if had a custom right called "Uber-1337-ness", it would not be
able to
grant "WRITE_DAC", or "READ_CONTROL", or "READ_ATTRIBUTES" rights;
because access rights in one object type cannot affect access rights in
another object type.

> otherwise you need to create different mapping tables when GUI askes for
> different ObjectTypes.

Yes, and now i have my own object type's rights, that don't get enabled when
the user
select's "Full Control", that is because "Full Control" only contains the
access mask:

 FilePermissions_FullControl =
   FILE_EXECUTE or //"Execute File"
   FILE_READ_DATA or //"Read Data"
   FILE_READ_ATTRIBUTES or //"Read Attributes"
   FILE_READ_EA or //"Read Extended Attributes"
   FILE_WRITE_DATA or //"Write Data"
   FILE_APPEND_DATA or //"Append Data"
   FILE_WRITE_ATTRIBUTES or //"Write Attributes"
   FILE_WRITE_EA or //"Write Extended Attributes"
   DELETE or //"Delete"
   READ_CONTROL or //"Read Permissions"
   WRITE_DAC or //"Change Permissions"
   WRITE_OWNER //"Take Ownership"

It doesn't contain:
    MYRIGHTS_ManagePrinter = 1
    MYRIGHTS_Uber-1337-ness = 2
    MYRIGHTS_ControlRobot = 4

which are access bits defined for my object type.

So that's my problem. i want to have a single displayed right called "Full
Control", which will grant all the appropriate File/Folder permissions, but
also grant the bits inside my custom object.