Initializing a Client Context

An application must create a client context before it can use Authz API to perform access checks or auditing.

An application must call the AuthzInitializeResourceManager function to initialize the resource manager. The application can then call one of several functions to create a client context. Additionally, if you are performing access checks or auditing remotely, you must use the AuthzInitializeRemoteResourceManager function.

To create a client context based on an existing client context, call the AuthzInitializeContextFromAuthzContext function.

The AuthzInitializeContextFromToken function creates a new client context by using information in a logon token. The AuthzInitializeContextFromSid function creates a new client context by using the specified SID.

If possible, call the AuthzInitializeContextFromToken function instead of AuthzInitializeContextFromSid. AuthzInitializeContextFromSid attempts to retrieve the information available in a logon token had the client actually logged on. An actual logon token provides more information, such as logon type and logon properties, and reflects the behavior of the authentication package used for the logon. The client context created by AuthzInitializeContextFromToken uses a logon token, and the resulting client context is more complete and accurate than a client context created by AuthzInitializeContextFromSid.

Note  Security attribute variables must be present in the client context if referred to in a conditional expression; otherwise, the conditional expression term referencing them will be evaluated as unknown. For more information on conditional expressions, see the Security Descriptor Definition Language for Conditional ACEs topic.


The following example initializes the Authz resource manager and calls the AuthzInitializeContextFromToken function to create a client context from the logon token associated with the current process.

BOOL AuthzInitFromToken(AUTHZ_CLIENT_CONTEXT_HANDLE *phClientContext)

    HANDLE                            hToken = NULL;
    LUID                            Luid = {0, 0};

    ULONG                            uFlags = 0;

    //Initialize Resource Manager
        L"My Resource Manager",
        printf_s("AuthzInitializeResourceManager failed with %d\n", GetLastError);
        return FALSE;

    //Get the current token.

    if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
        printf_s("OpenProcessToken failed with %d\n", GetLastError);
        return FALSE;

    //Initialize the client context

        printf_s("AuthzInitializeContextFromToken failed with %d\n", GetLastError);
        return FALSE;

    printf_s("Initialized client context. \n");
    return TRUE;


Related topics

Adding SIDs to a Client Context
Caching Access Checks
Checking Access with Authz API
How AccessCheck Works
Querying a Client Context
Security Descriptor Definition Language for Conditional ACEs