Export (0) Print
Expand All
Expand Minimize

Authorization Functions

The following functions are used with authorization applications.

In this section

TopicDescription

AccessCheck

Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token.

AccessCheckAndAuditAlarm

Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread.

AccessCheckByType

Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token.

AccessCheckByTypeAndAuditAlarm

Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread.

AccessCheckByTypeResultList

Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token.

AccessCheckByTypeResultListAndAuditAlarm

Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread.

AccessCheckByTypeResultListAndAuditAlarmByHandle

Determines whether a security descriptor grants a specified set of access rights to the client that the calling thread is impersonating.

AddAccessAllowedAce

Adds an access-allowed access control entry (ACE) to an access control list (ACL). The access is granted to a specified security identifier (SID).

AddAccessAllowedAceEx

Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL).

AddAccessAllowedObjectAce

Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL).

AddAccessDeniedAce

Adds an access-denied access control entry (ACE) to an access control list (ACL). The access is denied to a specified security identifier (SID).

AddAccessDeniedAceEx

Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL).

AddAccessDeniedObjectAce

Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL). The new ACE can deny access to an object, or to a property set or property on an object.

AddAce

Adds one or more access control entries (ACEs) to a specified access control list (ACL).

AddAuditAccessAce

Adds a system-audit access control entry (ACE) to a system access control list (ACL). The access of a specified security identifier (SID) is audited.

AddAuditAccessAceEx

Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL).

AddAuditAccessObjectAce

Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL).

AddConditionalAce

Adds a conditional access control entry (ACE) to the specified access control list (ACL).

AddMandatoryAce

Adds a SYSTEM_MANDATORY_LABEL_ACE access control entry (ACE) to the specified system access control list (SACL).

AddResourceAttributeAce

Adds a SYSTEM_RESOURCE_ATTRIBUTE_ACEaccess control entry (ACE) to the end of a system access control list (SACL).

AddScopedPolicyIDAce

Adds a SYSTEM_SCOPED_POLICY_ID_ACEaccess control entry (ACE) to the end of a system access control list (SACL).

AdjustTokenGroups

Enables or disables groups already present in the specified access token. Access to TOKEN_ADJUST_GROUPS is required to enable or disable groups in an access token.

AdjustTokenPrivileges

Enables or disables privileges in the specified access token. Enabling or disabling privileges in an access token requires TOKEN_ADJUST_PRIVILEGES access.

AllocateAndInitializeSid

Allocates and initializes a security identifier (SID) with up to eight subauthorities.

AllocateLocallyUniqueId

Allocates a locally unique identifier (LUID).

AreAllAccessesGranted

Checks whether a set of requested access rights has been granted. The access rights are represented as bit flags in an access mask.

AreAnyAccessesGranted

Tests whether any of a set of requested access rights has been granted. The access rights are represented as bit flags in an access mask.

AuditComputeEffectivePolicyBySid

Computes the effective audit policy for one or more subcategories for the specified security principal. The function computes effective audit policy by combining system audit policy with per-user policy.

AuditComputeEffectivePolicyByToken

Computes the effective audit policy for one or more subcategories for the security principal associated with the specified token. The function computes effective audit policy by combining system audit policy with per-user policy.

AuditEnumerateCategories

Enumerates the available audit-policy categories.

AuditEnumeratePerUserPolicy

Enumerates users for whom per-user auditing policy is specified.

AuditEnumerateSubCategories

Enumerates the available audit-policy subcategories.

AuditFree

Frees the memory allocated by audit functions for the specified buffer.

AuditLookupCategoryGuidFromCategoryId

Retrieves a GUID structure that represents the specified audit-policy category.

AuditLookupCategoryIdFromCategoryGuid

Retrieves an element of the POLICY_AUDIT_EVENT_TYPE enumeration that represents the specified audit-policy category.

AuditLookupCategoryName

Retrieves the display name of the specified audit-policy category.

AuditLookupSubCategoryName

Retrieves the display name of the specified audit-policy subcategory.

AuditQueryGlobalSacl

retrieves a global system access control list (SACL) that delegates access to the audit messages.

AuditQueryPerUserPolicy

Retrieves per-user audit policy in one or more audit-policy subcategories for the specified principal.

AuditQuerySecurity

Retrieves security descriptor that delegates access to audit policy.

AuditQuerySystemPolicy

Retrieves system audit policy for one or more audit-policy subcategories.

AuditSetGlobalSacl

sets a global system access control list (SACL) that delegates access to the audit messages.

AuditSetPerUserPolicy

Sets per-user audit policy in one or more audit subcategories for the specified principal.

AuditSetSecurity

Sets a security descriptor that delegates access to audit policy.

AuditSetSystemPolicy

Sets system audit policy for one or more audit-policy subcategories.

AuthzAccessCheck

Determines which access bits can be granted to a client for a given set of security descriptors.

AuthzAccessCheckCallback

An application-defined function that handles callback access control entries (ACEs) during an access check. AuthzAccessCheckCallback is a placeholder for the application-defined function name. The application registers this callback by calling AuthzInitializeResourceManager.

AuthzAddSidsToContext

Creates a copy of an existing context and appends a given set of security identifiers (SIDs) and restricted SIDs.

AuthzCachedAccessCheck

Performs a fast access check based on a cached handle containing the static granted bits from a previous AuthzAccessCheck call.

AuthzComputeGroupsCallback

An application-defined function that creates a list of security identifiers (SIDs) that apply to a client. AuthzComputeGroupsCallback is a placeholder for the application-defined function name.

AuthzEnumerateSecurityEventSources

Retrieves the registered security event sources that are not installed by default.

AuthzFreeAuditEvent

Frees the structure allocated by the AuthzInitializeObjectAccessAuditEvent function.

AuthzFreeCentralAccessPolicyCache

Decreases the CAP cache reference count by one so that the CAP cache can be deallocated.

AuthzFreeCentralAccessPolicyCallback

The AuthzFreeCentralAccessPolicyCallback function is an application-defined function that frees memory allocated by the AuthzGetCentralAccessPolicyCallback function. AuthzFreeCentralAccessPolicyCallback is a placeholder for the application-defined function name.

AuthzFreeContext

Frees all structures and memory associated with the client context. The list of handles for a client is freed in this call.

AuthzFreeGroupsCallback

An application-defined function that frees memory allocated by the AuthzComputeGroupsCallback function. AuthzFreeGroupsCallback is a placeholder for the application-defined function name.

AuthzFreeHandle

Finds and deletes a handle from the handle list.

AuthzFreeResourceManager

Frees a resource manager object.

AuthzGetCentralAccessPolicyCallback

The AuthzGetCentralAccessPolicyCallback function is an application-defined function that retrieves the central access policy. AuthzGetCentralAccessPolicyCallback is a placeholder for the application-defined function name.

AuthzGetInformationFromContext

Returns information about an Authz context.

AuthzInitializeCompoundContext

creates a user-mode context from the given user and device security contexts.

AuthzInitializeContextFromAuthzContext

Creates a new client context based on an existing client context.

AuthzInitializeContextFromSid

Creates a user-mode client context from a user security identifier (SID).

AuthzInitializeContextFromToken

Initializes a client authorization context from a kernel token. The kernel token must have been opened for TOKEN_QUERY.

AuthzInitializeObjectAccessAuditEvent

Initializes auditing for an object.

AuthzInitializeObjectAccessAuditEvent2

Allocates and initializes an AUTHZ_AUDIT_EVENT_HANDLE handle for use with the AuthzAccessCheck function.

AuthzInitializeRemoteResourceManager

Allocates and initializes a remote resource manager. The caller can use the resulting handle to make RPC calls to a remote instance of the resource manager configured on a server.

AuthzInitializeResourceManager

Uses Authz to verify that clients have access to various resources.

AuthzInitializeResourceManagerEx

Allocates and initializes a resource manager structure.

AuthzInstallSecurityEventSource

Installs the specified source as a security event source.

AuthzModifyClaims

Adds, deletes, or modifies user and device claims in the Authz client context.

AuthzModifySecurityAttributes

Modifies the security attribute information in the specified client context.

AuthzModifySids

Adds, deletes, or modifies user and device groups in the Authz client context.

AuthzOpenObjectAudit

Reads the system access control list (SACL) of the specified security descriptor and generates any appropriate audits specified by that SACL.

AuthzRegisterCapChangeNotification

Registers a CAP update notification callback.

AuthzRegisterSecurityEventSource

Registers a security event source with the Local Security Authority (LSA).

AuthzReportSecurityEvent

Generates a security audit for a registered security event source.

AuthzReportSecurityEventFromParams

Generates a security audit for a registered security event source by using the specified array of audit parameters.

AuthzSetAppContainerInformation

Sets the app container and capability information in a current Authz context.

AuthzUninstallSecurityEventSource

Removes the specified source from the list of valid security event sources.

AuthzUnregisterCapChangeNotification

Removes a previously registered CAP update notification callback.

AuthzUnregisterSecurityEventSource

Unregisters a security event source with the Local Security Authority (LSA).

BuildExplicitAccessWithName

Initializes an EXPLICIT_ACCESS structure with data specified by the caller. The trustee is identified by a name string.

BuildImpersonateExplicitAccessWithName

The BuildImpersonateExplicitAccessWithName function is not supported.

BuildImpersonateTrustee

The BuildImpersonateTrustee function is not supported.

BuildSecurityDescriptor

Allocates and initializes a new security descriptor.

BuildTrusteeWithName

Initializes a TRUSTEE structure. The caller specifies the trustee name. The function sets other members of the structure to default values.

BuildTrusteeWithObjectsAndName

Initializes a TRUSTEE structure with the object-specific access control entry (ACE) information and initializes the remaining members of the structure to default values. The caller also specifies the name of the trustee.

BuildTrusteeWithObjectsAndSid

Initializes a TRUSTEE structure with the object-specific access control entry (ACE) information and initializes the remaining members of the structure to default values. The caller also specifies the SID structure that represents the security identifier of the trustee.

BuildTrusteeWithSid

Initializes a TRUSTEE structure. The caller specifies the security identifier (SID) of the trustee. The function sets other members of the structure to default values and does not look up the name associated with the SID.

CheckTokenCapability

Checks the capabilities of a given token.

CheckTokenMembership

Determines whether a specified security identifier (SID) is enabled in an access token.

CheckTokenMembershipEx

Determines whether the specified SID is enabled in the specified token.

ConvertSecurityDescriptorToStringSecurityDescriptor

Converts a security descriptor to a string format. You can use the string format to store or transmit the security descriptor.

ConvertSidToStringSid

Converts a security identifier (SID) to a string format suitable for display, storage, or transmission.

ConvertStringSecurityDescriptorToSecurityDescriptor

Converts a string-format security descriptor into a valid, functional security descriptor.

ConvertStringSidToSid

Converts a string-format security identifier (SID) into a valid, functional SID. You can use this function to retrieve a SID that the ConvertSidToStringSid function converted to string format.

ConvertToAutoInheritPrivateObjectSecurity

Converts a security descriptor and its access control lists (ACLs) to a format that supports automatic propagation of inheritable access control entries (ACEs).

CopySid

Copies a security identifier (SID) to a buffer.

CreatePrivateObjectSecurity

Allocates and initializes a self-relative security descriptor for a new private object. A protected server calls this function when it creates a new private object.

CreatePrivateObjectSecurityEx

Allocates and initializes a self-relative security descriptor for a new private object created by the resource manager calling this function.

CreatePrivateObjectSecurityWithMultipleInheritance

Allocates and initializes a self-relative security descriptor for a new private object created by the resource manager calling this function.

CreateRestrictedToken

Creates a new access token that is a restricted version of an existing access token. The restricted token can have disabled security identifiers (SIDs), deleted privileges, and a list of restricting SIDs.

CreateSecurityPage

Creates a basic security property page that enables the user to view and edit the access rights allowed or denied by the access control entries (ACEs) in an object's discretionary access control list (DACL).

CreateWellKnownSid

Creates a SID for predefined aliases.

DeleteAce

Deletes an access control entry (ACE) from an access control list (ACL).

DestroyPrivateObjectSecurity

Deletes a private object's security descriptor.

DSCreateSecurityPage

Creates a security property page for an Active Directory object.

DSCreateISecurityInfoObject

Creates an instance of the ISecurityInformation interface associated with the specified directory service (DS) object.

DSCreateISecurityInfoObjectEx

Creates an instance of the ISecurityInformation interface associated with the specified directory service (DS) object on the specified server.

DSEditSecurity

Displays a modal dialog box for editing security on a Directory Services (DS) object.

DuplicateToken

Creates a new access token that duplicates one already in existence.

DuplicateTokenEx

Creates a new access token that duplicates an existing token. This function can create either a primary token or an impersonation token.

EditSecurity

Displays a property sheet that contains a basic security property page. This property page enables the user to view and edit the access rights allowed or denied by the ACEs in an object's DACL.

EditSecurityAdvanced

Extends the EditSecurity function to include the security page type when displaying the property sheet that contains a basic security property page.

EqualDomainSid

Determines whether two SIDs are from the same domain.

EqualPrefixSid

Tests two security-identifier (SID) prefix values for equality. A SID prefix is the entire SID except for the last subauthority value.

EqualSid

Tests two security identifier (SID) values for equality. Two SIDs must match exactly to be considered equal.

FindFirstFreeAce

Retrieves a pointer to the first free byte in an access control list (ACL).

FreeInheritedFromArray

Frees memory allocated by the GetInheritanceSource function.

FreeSid

Frees a security identifier (SID) previously allocated by using the AllocateAndInitializeSid function.

GetAce

Obtains a pointer to an access control entry (ACE) in an access control list (ACL).

GetAclInformation

Retrieves information about an access control list (ACL).

GetAppContainerNamedObjectPath

Retrieves the named object path for the app container.

GetAuditedPermissionsFromAcl

Retrieves the audited access rights for a specified trustee.

GetEffectiveRightsFromAcl

Retrieves the effective access rights that an ACL structure grants to a specified trustee. The trustee's effective access rights are the access rights that the ACL grants to the trustee or to any groups of which the trustee is a member.

GetExplicitEntriesFromAcl

Retrieves an array of structures that describe the access control entries (ACEs) in an access control list (ACL).

GetFileSecurity

Obtains specified information about the security of a file or directory. The information obtained is constrained by the caller's access rights and privileges.

GetInheritanceSource

Returns information about the source of inherited access control entries (ACEs) in an access control list (ACL).

GetKernelObjectSecurity

Retrieves a copy of the security descriptor that protects a kernel object.

GetLengthSid

Returns the length, in bytes, of a valid security identifier (SID).

GetMultipleTrustee

The GetMultipleTrustee function is not supported.

GetMultipleTrusteeOperation

The GetMultipleTrusteeOperation function is not supported.

GetNamedSecurityInfo

Retrieves a copy of the security descriptor for an object specified by name.

GetPrivateObjectSecurity

Retrieves information from a private object's security descriptor.

GetSecurityDescriptorControl

Retrieves a security descriptor control and revision information.

GetSecurityDescriptorDacl

Retrieves a pointer to the discretionary access control list (DACL) in a specified security descriptor.

GetSecurityDescriptorGroup

Retrieves the primary group information from a security descriptor.

GetSecurityDescriptorLength

Returns the length, in bytes, of a structurally valid security descriptor. The length includes the length of all associated structures.

GetSecurityDescriptorOwner

Retrieves the owner information from a security descriptor.

GetSecurityDescriptorRMControl

Retrieves the resource manager control bits.

GetSecurityDescriptorSacl

Retrieves a pointer to the system access control list (SACL) in a specified security descriptor.

GetSecurityInfo

Retrieves a copy of the security descriptor for an object specified by a handle.

GetSidIdentifierAuthority

Returns a pointer to the SID_IDENTIFIER_AUTHORITY structure in a specified security identifier (SID).

GetSidLengthRequired

Returns the length, in bytes, of the buffer required to store a SID with a specified number of subauthorities.

GetSidSubAuthority

Returns a pointer to a specified subauthority in a security identifier (SID). The subauthority value is a relative identifier (RID).

GetSidSubAuthorityCount

Returns a pointer to the member in a security identifier (SID) structure that contains the subauthority count.

GetTokenInformation

Retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.

GetTrusteeForm

Retrieves the trustee name from the specified TRUSTEE structure. This value indicates whether the structure uses a name string or a security identifier (SID) to identify the trustee.

GetTrusteeName

Retrieves the trustee name from the specified TRUSTEE structure.

GetTrusteeType

Retrieves the trustee type from the specified TRUSTEE structure. This value indicates whether the trustee is a user, a group, or the trustee type is unknown.

GetUserObjectSecurity

Retrieves security information for the specified user object.

GetWindowsAccountDomainSid

Receives a security identifier (SID) and returns a SID representing the domain of that SID.

ImpersonateAnonymousToken

Enables the specified thread to impersonate the system's anonymous logon token.

ImpersonateLoggedOnUser

Lets the calling thread impersonate the security context of a logged-on user. The user is represented by a token handle.

ImpersonateNamedPipeClient

Impersonates a named-pipe client application.

ImpersonateSelf

Obtains an access token that impersonates the security context of the calling process. The token is assigned to the calling thread.

InitializeAcl

Initializes a new ACL structure.

InitializeSecurityDescriptor

Initializes a new security descriptor.

InitializeSid

Initializes a security identifier (SID).

IsTokenRestricted

Indicates whether a token contains a list of restricted security identifiers (SIDs).

IsValidAcl

Validates an access control list (ACL).

IsValidSecurityDescriptor

Determines whether the components of a security descriptor are valid.

IsValidSid

Validates a security identifier (SID) by verifying that the revision number is within a known range, and that the number of subauthorities is less than the maximum.

IsWellKnownSid

Compares a SID to a well-known SID and returns TRUE if they match.

LookupAccountName

Accepts the name of a system and an account as input. It retrieves a security identifier (SID) for the account and the name of the domain on which the account was found.

LookupAccountSid

Accepts a security identifier (SID) as input. It retrieves the name of the account for this SID and the name of the first domain on which this SID is found.

LookupPrivilegeDisplayName

Retrieves the display name that represents a specified privilege.

LookupPrivilegeName

Retrieves the name that corresponds to the privilege represented on a specific system by a specified locally unique identifier (LUID).

LookupPrivilegeValue

Retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name.

LookupSecurityDescriptorParts

Retrieves security information from a self-relative security descriptor.

MakeAbsoluteSD

Creates a security descriptor in absolute format by using a security descriptor in self-relative format as a template.

MakeSelfRelativeSD

Creates a security descriptor in self-relative format by using a security descriptor in absolute format as a template.

MapGenericMask

Maps the generic access rights in an access mask to specific and standard access rights. The function applies a mapping supplied in a GENERIC_MAPPING structure.

NtCompareTokens

Compares two access tokens and determines whether they are equivalent with respect to a call to the AccessCheck function.

ObjectCloseAuditAlarm

Generates an audit message in the security event log when a handle to a private object is deleted.

ObjectDeleteAuditAlarm

Generates audit messages when an object is deleted.

ObjectOpenAuditAlarm

Generates audit messages when a client application attempts to gain access to an object or to create a new one.

ObjectPrivilegeAuditAlarm

Generates an audit message in the security event log.

OpenProcessToken

Opens the access token associated with a process.

OpenThreadToken

Opens the access token associated with a thread.

PrivilegeCheck

Determines whether a specified set of privileges are enabled in an access token.

PrivilegedServiceAuditAlarm

Generates an audit message in the security event log.

QuerySecurityAccessMask

Creates an access mask that represents the access permissions necessary to query the specified object security information.

QueryServiceObjectSecurity

Retrieves a copy of the security descriptor associated with a service object.

RegGetKeySecurity

Retrieves a copy of the security descriptor protecting the specified open registry key.

RegSetKeySecurity

Sets the security of an open registry key.

RevertToSelf

Terminates the impersonation of a client application.

RtlConvertSidToUnicodeString

Converts a security identifier (SID) to its Unicode character representation.

SetAclInformation

Sets information about an access control list (ACL).

SetEntriesInAcl

Creates a new access control list (ACL) by merging new access control or audit control information into an existing ACL structure.

SetFileSecurity

Sets the security of a file or directory object.

SetKernelObjectSecurity

Sets the security of a kernel object.

SetNamedSecurityInfo

Sets specified security information in the security descriptor of a specified object.

SetPrivateObjectSecurity

Modifies a private object's security descriptor.

SetPrivateObjectSecurityEx

Modifies the security descriptor of a private object maintained by the resource manager calling this function.

SetSecurityAccessMask

Creates an access mask that represents the access permissions necessary to set the specified object security information.

SetSecurityDescriptorControl

Sets the control bits of a security descriptor. The function can set only the control bits that relate to automatic inheritance of ACEs.

SetSecurityDescriptorDacl

Sets information in a discretionary access control list (DACL). If a DACL is already present in the security descriptor, the DACL is replaced.

SetSecurityDescriptorGroup

Sets the primary group information of an absolute-format security descriptor, replacing any primary group information already present in the security descriptor.

SetSecurityDescriptorOwner

Sets the owner information of an absolute-format security descriptor. It replaces any owner information already present in the security descriptor.

SetSecurityDescriptorRMControl

Sets the resource manager control bits in the SECURITY_DESCRIPTOR structure.

SetSecurityDescriptorSacl

Sets information in a system access control list (SACL). If there is already a SACL present in the security descriptor, it is replaced.

SetSecurityInfo

Sets specified security information in the security descriptor of a specified object. The caller identifies the object by a handle.

SetServiceObjectSecurity

Sets the security descriptor of a service object.

SetThreadToken

Assigns an impersonation token to a thread. The function can also cause a thread to stop using an impersonation token.

SetTokenInformation

Sets various types of information for a specified access token.

SetUserObjectSecurity

Sets the security of a user object. This can be, for example, a window or a DDE conversation.

TreeResetNamedSecurityInfo

Resets specified security information in the security descriptor of a specified tree of objects.

TreeSetNamedSecurityInfo

Sets specified security information in the security descriptor of a specified tree of objects.

 

Authorization functions are categorized according to usage as follows.

Basic Access Control Functions

The following functions are used with access tokens.

Access Control Editor Functions

The following functions are used with the access control editor.

Client/Server Access Control Functions

The following functions are used by servers to impersonate clients.

Low-level Access Control Functions

The following low-level functions are used to manipulate security descriptors.

Audit Policy Functions

 

 

Community Additions

ADD
Show:
© 2014 Microsoft