A support function, SidInToken, takes the authorization context, a SID (referenced below as the SidToTest parameter), and an optional PrincipalSelfSubstitute parameter, and returns TRUE if the SidToTest is present in the authorization context; otherwise, it returns FALSE. The well-known SID PRINCIPAL_SELF, if passed as SidToTest, is replaced by the PrincipalSelfSubstitute SID prior to the examination of the authorization context.

Any plug-in replacement is required to use this exact algorithm, which is described using the pseudocode syntax as specified in [DALB].

 BOOLEAN SidInToken( 
     PrincipalSelfSubstitute )
     -- On entry
     --    Token is an authorization context containing all SIDs
     --       that represent the security principal
     --    SidToTest, the SID for which to search in Token
     --    PrincipalSelfSubstitute, a SID with which SidToTest may be
     --       replaced
     IF SidToTest is the Well Known SID PRINCIPAL_SELF THEN
         set SidToTest to be PrincipalSelfSubstitute
     END IF
     FOR EACH SID s in Token.Sids[] DO
         IF s equals SidToTest THEN
             return TRUE
         END IF
     END FOR
     Return FALSE