IWbemEventSink::SetSinkSecurity method

The IWbemEventSink::SetSinkSecurity method is used to set a security descriptor (SD) on a sink for all the events passing through. WMI handles the access checks based on the SD. Use this method when the provider cannot control what users are allowed to consume its events, but can set an SD for a specific sink.

Syntax


HRESULT SetSinkSecurity(
  [in]  LONG ISDLength,
  [in]  BYTE *pSD
);

Parameters

ISDLength [in]

Length of security descriptor.

pSD [in]

Security descriptor, DACL.

Return value

This method returns an HRESULT indicating the status of the method call. The following table lists the value contained within an HRESULT.

Return codeDescription
WBEM_S_NO_ERROR

The method was successful.

WBEM_E_INVALID_PARAMETER

The security descriptor is not valid. Owner or group fields are not set.

 

Remarks

The SD DACL defines who has access to the events. The access control entry (ACE) of a consumer seeking access to the events delivered to the sink must match an ACE with WBEM_RIGHT_SUBSCRIBE set in the pSD parameter. The SD owner and group specify the identity to be used when raising the event. This identity can be different than the identity of the account raising the event; however, when checking access of the event against a filter SD, both the identity of the user and the identity specified in the owner field are checked for access. For more information, see the EventAccess property of the __EventFilter class. The group field of the SD must be set and the SACL field is not used. For more information about event security and when to use this method, see Securing WMI Events.

For more information about providing events, see Writing an Event Provider.

Examples

The following code example sets the SD for all the events provided through the sink.The code requires the following #include statements and references.


#define _WIN32_WINNT 0x0500
#define SECURITY_WIN32
# pragma comment(lib, "wbemuuid.lib")
# pragma comment(lib, "Secur32.lib")
#include <windows.h>
#include <sddl.h>
#include <wbemidl.h>
#include <security.h>
#include <iostream>
using namespace std;

HRESULT CMyEventProvider::ProvideEvents( IWbemObjectSink *pSink,
                                            long lFlags )
{
    IWbemEventSink *pEventSink = NULL;
    //Create SD with allowing only administrators
    // to receive events. O:BAG:BAD:(A;;0x40;;;BA)
     long lMask = WBEM_RIGHT_SUBSCRIBE;
     WCHAR wBuf[MAX_PATH];
     _ltow( lMask, wBuf, 16 );
 
       wstring wstrSD = L"O:BAG:BAD:(A;;0x";
        wstrSD += lMask;
       wstrSD += L";;;BA)";
    ULONG ulSize = 0;
    PSECURITY_DESCRIPTOR pSD = NULL;
 
    ConvertStringSecurityDescriptorToSecurityDescriptorW(
        wstrSD.c_str(), SDDL_REVISION_1, &pSD, &ulSize ); 
    HRESULT hRes = pSink->QueryInterface( IID_IWbemEventSink,
        (void**)pEventSink );
    if( SUCCEEDED(hRes) )
        hRes = pEventSink->SetSinkSecurity( ulLength, pSD );
    LocalFree(pSD );
    return hRes;
}

Requirements

Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2003

Header

Wbemprov.h (include Wbemidl.h)

Library

Wbemuuid.lib

DLL

Wbemsvc.dll

 

 

Show:
© 2014 Microsoft