Skip to main content
AuthzInitializeResourceManagerEx function

The AuthzInitializeResourceManagerEx function initializes an Authz resource manager and returns a handle to it. Use this function rather than AuthzInitializeResourceManager when you want the resource manager to manage Central Access Policies (CAPs).

Syntax


BOOL WINAPI AuthzInitializeResourceManagerEx(
  _In_opt_  DWORD Flags,
  _In_opt_  PVOID pAuthzInitInfo,
  _Out_     PAUTHZ_RESOURCE_MANAGER_HANDLE phAuthzResourceManager
);

Parameters

Flags [in, optional]

A DWORD value that defines how the resource manager is initialized. This parameter can be one or more of the following values.

ValueMeaning
0

Default call to the function. The resource manager is initialized as the principal identified in the process token, and auditing is in effect. Unless the AUTHZ_RM_FLAG_NO_AUDIT flag is set, SeAuditPrivilege must be enabled for the function to succeed.

AUTHZ_RM_FLAG_NO_AUDIT
1

Auditing is not in effect. If this flag is set, the caller does not need to have SeAuditPrivilege enabled to call this function. Use this flag if the resource manager will never generate an audit for best performance.

AUTHZ_RM_FLAG_INITIALIZE_UNDER_IMPERSONATION
2

The resource manager is initialized as the identity of the thread token. If the current thread is impersonating, then use the impersonation token as the identity of the resource manager.

AUTHZ_RM_FLAG_NO_CENTRAL_ACCESS_POLICIES
4

The central access policy IDs are ignored. Do not evaluate central access policies.

 

pAuthzInitInfo [in, optional]

A pointer to a AUTHZ_INIT_INFO structure that contains the authorization resource manager initialization information.

phAuthzResourceManager [out]

A pointer to the returned resource manager handle. When you have finished using the handle, free it by using the AuthzFreeResourceManager function.

Return value

If the function succeeds, the function returns a value of TRUE.

If the function fails, it returns a value of FALSE. To get extended error information, call GetLastError.

Remarks

If the AUTHZ_RM_FLAG_NO_CENTRAL_ACCESS_POLICIES flag is specified, then AuthzAccessCheck and AuthzCachedAccessCheck ignore CAPID (Central Access Policie ID) access control entries SYSTEM_SCOPED_POLICY_ID_ACE and will not evaluate CAPs.

If the AUTHZ_RM_FLAG_NO_CENTRAL_ACCESS_POLICIES flag is not specified and pfnGetCentralAccessPolicy is NULL, then AuthzAccessCheck and AuthzCachedAccessCheck will get CAPs from LSA. For more information, see LsaGetAppliedCAPIDs.

If the AUTHZ_RM_FLAG_NO_CENTRAL_ACCESS_POLICIES flag is not specified and a central access policy callback is provided by the resource manager, then AuthzAccessCheck and AuthzCachedAccessCheck will get CAPs from the resource manager by invoking the callback.

The LSA and the central access policy callback can indicate that CAPs are not supported, in which case AuthzAccessCheck and AuthzCachedAccessCheck ignore CAPID ACEs and will not evaluate CAPs. The LSA and the central access policy callback may fail to return a CAP that corresponds to a particular CAPID, in which case AuthzAccessCheck and AuthzCachedAccessCheck use the same default CAP as the kernel AccessCheck.

Requirements

Minimum supported client

Windows 8 [desktop apps only]

Minimum supported server

Windows Server 2012 [desktop apps only]

Header

Authz.h

Library

Authz.lib

DLL

Authz.dll

See also

LsaGetAppliedCAPIDs