Re: Access check for inherited permission
- From: "TonyCheung@xxxxxxxxxxxxx" <tonycch@xxxxxxxxxxxxx>
- Date: Fri, 10 Nov 2006 14:26:07 +0800
Thanks Jeffrey!
So I can
1. Check if Joe is allowed to write Description
2. Find the ACE grant this permission
3. Check if the ACE is CIOI
4. Check if the SID in this ACE is Joe, if not check if Joe is member of this SID
It would be quite challenging to complete step 4, can you suggest some APIs to check for group membership?
Thanks for your help!.
- Tony Cheung
""Jeffrey Tan[MSFT]"" <jetan@xxxxxxxxxxxxxxxxxxxx> wrote in message news:TrK0Qo99GHA.1984@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Tony,.
Sorry for letting you wait.
If the security descriptor on the container object, Users in our case,
contains an ACE with CIOI (container inherit, object inherit) flags and a
GUID corresponding to the Write Description property that grants Joe the
right to write the object Description, any container/object created within
Users will inherit the ACE and the GUID will be present in the inherited
object GUID field.
If AccessCheck on Users succeeds for Joe for write Description, it will
succeed for any objects created within Users, per the inherited ACE on the
objects.
The _OBJECT_TYPE_LIST structure for AuthzAccessCheck on the top level
container Users will be
list[0].Level = ACCESS_OBJECT_GUID
list[0].ObjectTYpe = <GUID of Users>
list[1].Level = ACCESS_PROPERTY_SET_GUID
list[1].ObjectType = <GUID of Description property>
Hope this helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
- Follow-Ups:
- Re: Access check for inherited permission
- From: "Jeffrey Tan[MSFT]"
- Re: Access check for inherited permission
- Prev by Date: Re: serializing encrypted data to a file using x509 public certificate.
- Next by Date: decryption problem with SC (0x800900d error)
- Previous by thread: PIN, smart cards, and multiple files
- Next by thread: Re: Access check for inherited permission
- Index(es):
Relevant Pages
|
