AccessCheck -- Algorithm to Perform a General Access Check

The inputs for this algorithm are:

  • SecurityContext: The SecurityContext of the user requesting access.

  • SecurityDescriptor: The security descriptor of the object to which access is requested, in the format specified in [MS-DTYP] section 2.4.6.

  • DesiredAccess: An ACCESS_MASK indicating type of access requested, as specified in [MS-DTYP] section 2.4.3.

This algorithm returns a Boolean value:

  • TRUE if the user has the necessary access to the object.

  • FALSE otherwise.

Pseudocode for the algorithm is as follows:

  • The object store MUST build a new Token object, in the format specified in [MS-DTYP] section 2.5.2, with fields initialized as follows:

    • Sids set to SecurityContext.SIDs.

    • OwnerIndex set to SecurityContext.OwnerIndex.

    • PrimaryGroup set to SecurityContext.PrimaryGroup.

    • DefaultDACL set to SecurityContext.DefaultDACL.

    • Privileges set to SecurityContext.PrivilegeSet in locally unique identifier (LUID) form, as specified in [MS-LSAD] section

  • The object store MUST use the access check algorithm described in [MS-DTYP] section, with input values as follows:

    • SecurityDescriptor set to the SecurityDescriptor above.

    • Token set to Token.

    • Access Request mask set to DesiredAccess.

    • Object Tree set to NULL.

    • PrincipalSelfSubst set to NULL.

  • If the access check returns success, return TRUE; otherwise return FALSE.