AuthzAccessCheck and ACEs with an InheritedObjectType

junaid.shahid_at_gmail.com
Date: 06/30/05

Next message: Param: "Re: computing hash from a pkcs7 signature"

Previous message: Pavel Lebedinsky [MSFT]: "Re: GetNamedSecurityInfo VS GetFileSecurity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 29 Jun 2005 22:00:56 -0700

Hi,

I am using the Authz API to check the effective rights of a user on an
Active Directory object. It is working correctly except when I check
for a property right that actually applies to some contained objects
(i.e. the ACE has a non-null InheritedObjectType).

For example, I create a container (say cn=test,dc=testdom,dc=com) and
using ADSI Edit add an ACE with "User objects" in the Apply To field
(setting InheritedObjectType in the ACE to User) and allow the right
"Read profilePath" to user1. I remove all other ACEs on the container.
Now when I use AuthzAccessCheck to check whether user1 has read access
to the profilePath property (DesiredAccess=ADS_RIGHT_DS_READ_PROP and
the schemaIDGUID of the profilePath attribute at level 2 in the
OBJECT_TYPE_LIST), I get 0 in GrantedAccess. I have also tried adding
the schemaIDGUID of the User class at level 0 in the OBJECT_TYPE_LIST
but with same results.

Is there any way possible to check this kind of access via the Authz
API or via some other alternative?

Thanks

Junaid

Next message: Param: "Re: computing hash from a pkcs7 signature"

Previous message: Pavel Lebedinsky [MSFT]: "Re: GetNamedSecurityInfo VS GetFileSecurity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]