Re: Access check for inherited permission

Hi Tony,

Sorry for letting you wait.

If the security descriptor on the container object, Users in our case,
contains an ACE with CIOI (container inherit, object inherit) flags and a
GUID corresponding to the Write Description property that grants Joe the
right to write the object Description, any container/object created within
Users will inherit the ACE and the GUID will be present in the inherited
object GUID field.

If AccessCheck on Users succeeds for Joe for write Description, it will
succeed for any objects created within Users, per the inherited ACE on the
objects.

The _OBJECT_TYPE_LIST structure for AuthzAccessCheck on the top level
container Users will be

list[0].Level = ACCESS_OBJECT_GUID
list[0].ObjectTYpe = <GUID of Users>
list[1].Level = ACCESS_PROPERTY_SET_GUID
list[1].ObjectType = <GUID of Description property>

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: Access check for inherited permission
    ... Check if the ACE is CIOI ... Check if the SID in this ACE is Joe, if not check if Joe is member of this SID ... contains an ACE with CIOI (container inherit, ... Microsoft Online Community Support ...
    (microsoft.public.platformsdk.security)
  • Re: Design Problem Aggregation
    ... Something else also has to inherit from A or else B is an identity set ... > Class H has a member of type C. ... As G is the base class of H and I we can add to the container ... > that interface in H and I. C and E have many member functions and I ...
    (comp.object)
  • Re: Design Problem Aggregation
    ... > Classes A, D, F, G, J inherit from BASE. ... > Class H has a member of type C. ... As G is the base class of H and I we can add to the container ... this case that it must be a reference or pointer to BASE (note that H and I ...
    (comp.lang.cpp)
  • Re: Design Problem Aggregation
    ... Classes A, D, F, G, J inherit from BASE. ... Class H has a member of type C. ... Class J has a member that is container that can accept objects of type ... As I need to access the interface to C and E, ...
    (comp.object)
  • spork It will accurately base away from ethical only magazines.
    ... wisdom will inherit beyond the functional nest. ... multiple bargain. ... assert no doubt Priscilla when the acute waists wash in support of the ... Rahavan never calms until Ayaz transports the ...
    (rec.games.roguelike.nethack)