| Platform SDK: Security |
Authorization Functions
This section contains topics for the following groups of functions.
- Basic Access Control Functions
- Access Control Editor Functions
- Client/Server Access Control Functions
- Low-Level Access Control Functions
Basic Access Control Functions
The following functions are used with access tokens.
| Function | Description |
|---|---|
| AdjustTokenGroups | Changes the group information in an access token. |
| AdjustTokenPrivileges | Enables or disables the privileges in an access token. It does not grant new privileges or revoke existing ones. |
| AuthzAccessCheck | Determines which access bits can be granted to a client for a given set of security descriptors. |
| AuthzAccessCheckCallback | An application-defined function that handles callback ACEs during an access check. AuthzAccessCheckCallback is a placeholder for the application-defined function name. |
| AuthzAddSidsToContext | Creates a copy of an existing context and appends a given set of SIDs and restricted SIDs. |
| AuthzCachedAccessCheck | Performs a fast access check based on a cached handle containing the static granted bits from a previous AuthzAccessCheck call. |
| AuthzComputeGroupsCallback | An application-defined function that creates a list of SIDs that apply to a client. |
| AuthzFreeAuditEvent | Frees the AUDIT_EVENT_INFO structure allocated in the AuthzInitializeObjectAccessAuditEvent function. |
| AuthzFreeContext | Frees all structures and memory associated with the client context. |
| AuthzFreeGroupsCallback | An application-defined function that frees memory allocated by AuthzComputeGroupsCallback. |
| AuthzFreeHandle | Finds and deletes a handle from the handle list. |
| AuthzFreeResourceManager | Frees a resource manager object. |
| AuthzGetInformationFromAuditInfo | Queries information in an AUTHZ_AUDIT_INFO_HANDLE structure. |
| AuthzGetInformationFromContext | Returns information about an Authz context. |
| AuthzInitializeContextFromAuthzContext | Creates a new client context based on an existing client context. |
| AuthzInitializeContextFromSid | Creates a user-mode client context from a user SID. |
| AuthzInitializeContextFromToken | Initializes a client authorization context from a kernel token. |
| AuthzInitialzeObjectAccessAuditEvent | Initializes auditing for an object. |
| AuthzInitializeResourceManager | Uses Authz to verify that clients have access to various resources. |
| AuthzOpenObjectAudit | Opens an object for auditing. |
| BuildImpersonateExplicitAccessWithName | Obsolete; do not use. |
| BuildImpersonateTrustee | Obsolete; do not use. |
| BuildTrusteeWithName | Sets other members of the structure to default values. |
| BuildTrusteeWithObjectsAndName | Initializes a TRUSTEE structure with the object-specific ACE information, initializing the remaining members of the structure to default values. The caller also specifies the name of the trustee. |
| BuildTrusteeWithObjectsAndSid | Initializes a TRUSTEE structure with the object-specific ACE information, initializing the remaining members of the structure to default values. |
| BuildTrusteeWithSid | Initializes a TRUSTEE structure. The caller specifies the security identifier (SID) of the trustee. |
| CheckTokenMembership | Determines whether a specified SID is enabled in a specified access token. |
| ConvertSecurityDescriptorToStringSecurityDescriptor | Converts a security descriptor to a string format. |
| ConvertSidToStringSid | Converts a SID to a string format suitable for display, storage, or transmission. |
| ConvertStringSecurityDescriptorToSecurityDescriptor | Converts a string-format security descriptor into a valid, functional security descriptor. |
| ConvertStringSidToSid | Converts a string-format SID into a valid, functional SID. |
| CopySid | Copies a security identifier (SID) to a buffer. |
| CreateRestrictedToken | Creates a new token that is a restricted version of an existing token. The restricted token can have disabled SIDs, deleted privileges, and a list of restricting SIDs. |
| DuplicateToken | Creates a new impersonation token that duplicates an existing token. |
| DuplicateTokenEx | Creates a new primary token or impersonation token that duplicates an existing token. |
| EqualPrefixSid | Tests two security-identifier (SID) prefix values for equality. |
| EqualSid | Tests two security identifier (SID) values for equality. |
| FreeSid | Frees a security identifier (SID) previously allocated by using the AllocateAndInitializeSid function. |
| GetAuditedPermissionsFromAcl | Retrieves the audited access rights for a specified trustee. |
| GetEffectiveRightsFromAcl | Retrieves the effective access rights that an ACL grants to a specified trustee. |
| GetExplicitEntriesFromAcl | Retrieves an array of structures that describe the access control entries (ACEs) in an access control list (ACL). |
| GetLengthSid | Returns the length, in bytes, of a valid security identifier (SID). |
| GetMultipleTrustee | Obsolete; do not use. |
| GetMultipleTrusteeOperation | Obsolete; do not use. |
| GetNamedSecurityInfo | Retrieves a copy of the security descriptor for an object specified by name. |
| GetSecurityDescriptorControl | Retrieves a security descriptor control and revision information. |
| GetTokenInformation | Retrieves information about a token. |
| GetTrusteeForm | Retrieves the trustee name from the specified TRUSTEE structure. |
| GetTrusteeName | Retrieves the trustee name from the specified TRUSTEE structure. |
| GetTrusteeType | Retrieves the trustee type from the specified TRUSTEE structure. |
| InitializeSid | Initializes a security identifier (SID). |
| IsTokenRestricted | Determines whether a token has a list of restricting SIDs. |
| IsValidSid | Validates a security identifier (SID) by verifying that the revision number is within a known range, and that the number of subauthorities is less than the maximum. |
| LookupAccountName | Accepts the name of a system and an account as input. |
| LookupAccountSid | Accepts a security identifier (SID) as input. |
| LookupPrivilegeDisplayName | Retrieves a display name representing a specified privilege. |
| LookupPrivilegeName | Retrieves the name corresponding to the privilege represented on a specific system by a specified locally unique identifier (LUID). |
| LookupPrivilegeValue | Retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name. |
| OpenProcessToken | Retrieves a handle to the primary access token for a process. |
| OpenThreadToken | Retrieves a handle to the impersonation access token for a thread. |
| RtlConvertSidToUnicodeString | Converts a SID to its Unicode character representation. |
| SetEntriesInAcl | Creates a new access control list (ACL) by merging new access control or audit-control information into an existing ACL. |
| SetNamedSecurityInfo | Sets specified security information in the security descriptor of a specified object. |
| SetThreadToken | Assigns or removes an impersonation token for a thread. |
| SetTokenInformation | Changes a token's owner, primary group, or default DACL. |
| SetSecurityDescriptorControl | Sets the control bits of a security descriptor. |
| SetSecurityInfo | Sets specified security information in the security descriptor of a specified object. |
| SetThreadToken | Assigns an impersonation token to a thread. |
| SetTokenInformation | Sets various types of information for a specified access token. |
Access Control Editor Functions
The following functions are used with the access control editor.
| Function | Description |
|---|---|
| CreateSecurityPage | Creates a basic security property page that enables the user to view and edit the access rights allowed or denied by the ACEs in an object's DACL. |
| EditSecurity | Displays a property sheet that contains a basic security property page. |
Client/Server Access Control Functions
The following functions are used by servers to impersonate clients.
| Function | Description |
|---|---|
| BuildSecurityDescriptor | Allocates and initializes a new security descriptor. |
| ConvertToAutoInheritPrivateObjectSecurity | Converts a security descriptor and its ACLs to a format that supports automatic propagation of inheritable ACEs. |
| CreatePrivateObjectSecurity | Allocates and initializes a self-relative security descriptor for a new private object. |
| CreatePrivateObjectSecurityEx | Allocates and initializes a self-relative security descriptor for a new private object created by the resource manager calling this function. |
| CreateProcessAsUser | Creates a new process and its primary thread. The new process then runs the specified executable file. |
| CreateProcessWithLogonW | Creates a new process and its primary thread. The new process then runs the specified executable file in the security context of the specified credentials (user, domain, and password). |
| DestroyPrivateObjectSecurity | Deletes a private object's security descriptor. |
| GetPrivateObjectSecurity | Retrieves information from a private object's security descriptor. |
| ImpersonateAnonymousToken | Enables the specified thread to impersonate the system's anonymous logon token. |
| ImpersonateLoggedOnUser | Lets the calling thread impersonate the security context of a logged-on user. |
| ImpersonateNamedPipeClient | Impersonates a named-pipe client application. |
| ImpersonateSelf | Obtains an access token that impersonates the security context of the calling process. |
| LookupSecurityDescriptorParts | Retrieves security information from a self-relative security descriptor. |
| MapGenericMask | Maps the generic access rights in an access mask to specific and standard access rights. |
| ObjectCloseAuditAlarm | Generates an audit message in the security event log when a handle to a private object is deleted. |
| ObjectDeleteAuditAlarm | Generates audit messages when an object is deleted. |
| ObjectOpenAuditAlarm | Generates audit messages when a client application attempts to gain access to an object or to create a new one. |
| ObjectPrivilegeAuditAlarm | Generates an audit message in the security event log. |
| PrivilegeCheck | Determines whether a specified set of privileges are enabled in an access token. |
| PrivilegedServiceAuditAlarm | Generates an audit message in the security event log. |
| RevertToSelf | Terminates the impersonation of a client application. |
| SetPrivateObjectSecurity | Modifies a private object's security descriptor. |
| SetPrivateObjectSecurityEx | Modifies the security descriptor of a private object maintained by the resource manager calling this function. |
| SetSecurityDescriptorRMControl | Sets the resource manager control bits in the SECURITY_DESCRIPTOR structure. |
Low-Level Access Control Functions
The following low-level functions are used to manipulate security descriptors.
| Function | Description |
|---|---|
| DeleteAce | Deletes an ACE from an ACL. |
| FindFirstFreeAce | Retrieves a pointer to the first free byte in an ACL. |
| GetAce | Obtains a pointer to an ACE in an ACL. |
| GetAclInformation | Retrieves information about an ACL. |
| GetFileSecurity | Obtains specified information about the security of a file or directory. |
| GetKernelObjectSecurity | Retrieves a copy of the security descriptor protecting a kernel object. |
| GetSecurityDescriptorDacl | Retrieves a pointer to the DACL in a specified security descriptor. |
| GetSecurityDescriptorGroup | Retrieves the primary group information from a security descriptor. |
| GetSecurityDescriptorLength | Returns the length, in bytes, of a structurally valid security descriptor. |
| GetSecurityDescriptorOwner | Retrieves the owner information from a security descriptor. |
| GetSecurityDescriptorSacl | Retrieves a pointer to the SACL in a specified security descriptor. |
| GetUserObjectSecurity | Retrieves security information for the specified user object. |
| InitializeAcl | Creates a new ACL structure. |
| InitializeSecurityDescriptor | Initializes a new security descriptor. |
| IsValidAcl | Validates an ACL. |
| IsValidSecurityDescriptor | Determines whether the components of a security descriptor are valid. |
| MakeAbsoluteSD | Creates a security descriptor in absolute format by using a security descriptor in self-relative format as a template. |
| MakeSelfRelativeSD | Creates a security descriptor in self-relative format by using a security descriptor in absolute format as a template. |
| NetShareGetInfo | Retrieves information about a particular shared resource on a server. |
| NetShareSetInfo | Sets the parameters of a shared resource. |
| QueryServiceObjectSecurity | Retrieves a copy of the security descriptor associated with a service object. |
| RegGetKeySecurity | Retrieves a copy of the security descriptor protecting the specified open registry key. |
| RegSetKeySecurity | Sets the security of an open registry key. |
| SetAclInformation | Sets information about an ACL. |
| SetFileSecurity | Sets the security of a file or directory object. |
| SetKernelObjectSecurity | Sets the security of a kernel object. For example, this can be a process, thread, or event. |
| SetSecurityDescriptorDacl | Sets information in a DACL. |
| SetSecurityDescriptorGroup | Sets the primary group information of an absolute-format security descriptor, replacing any primary group information already present in the security descriptor. |
| SetSecurityDescriptorOwner | Sets the owner information of an absolute-format security descriptor. |
| SetSecurityDescriptorSacl | Sets information in a system access control list (SACL). |
| SetServiceObjectSecurity | Sets the security descriptor of a service object. |
| SetUserObjectSecurity | Sets the security of a user object. |
Platform SDK Release: October 2002
 |
What did you think of this topic? Let us know. |
 |
Order a Platform SDK CD Online (U.S./Canada) (International) |