3.1.4.6 AuthzrModifyClaims (Opnum 5)
The AuthzrModifyClaims method (opnum 5) modifies information about the identified client context.
-
DWORD AuthzrModifyClaims( [in] AUTHZR_HANDLE ContextHandle, [in] AUTHZ_CONTEXT_INFORMATION_CLASS ClaimClass, [in] [range(1, 65535)] DWORD OperationCount, [in] [size_is(OperationCount)] AUTHZ_SECURITY_ATTRIBUTE_OPERATION* pClaimOperations, [in] [unique] AUTHZR_SECURITY_ATTRIBUTES_INFORMATION* pClaims);
ContextHandle: An AUTHZR_HANDLE structure, as defined in section 2.2.1.1. Represents the client context to modify.
ClaimClass: An AUTHZ_CONTEXT_INFORMATION_CLASS enumeration, as defined in section 2.2.2.1. Indicates the claim class.
OperationCount: The number of operations to be performed.
pClaimOperations: A pointer to an array of AUTHZ_SECURITY_ATTRIBUTE_OPERATION enumerations, as defined in section 2.2.2.2. Specifies the operations to be performed on each claim.
pClaims: A pointer to an array of AUTHZR_SECURITY_ATTRIBUTES_INFORMATION structures, as defined in section 2.2.3.7. Contains the claim(s) used to modify the client context.
Return Values:
If the function succeeds, the function MUST return 0x00000000.
If the function fails, it MUST return a nonzero error code value.
When a RAZA server receives this message, the server MUST perform the following:
If the InfoClass parameter is any value other than AuthzContextInfoUserClaims (13) or AuthzContextInfoDeviceClaims (14), the requested modification is not supported. When this happens, the RAZA server MUST set ppContextInformation to NULL and return FALSE.
The RAZA server MUST check the first element in the pClaimOperations array as indicated by OperationCount and perform operations as follows:
If the value pointed to by the pClaimOperations parameter is AUTHZ_SECURITY_ATTRIBUTE_OPERATION_NONE, the RAZA server MUST return 0x00000000.
If the value pointed to by the pClaimsOperations parameter is AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL, the RAZA server MUST perform the following on the ImpersonationAccessToken in the ClientContext identified by the ContextHandle:
Map the InfoClass parameter value to the corresponding ImpersonationAccessToken array according to the following table and replace it with the pClaims Attribute member array.
Return 0x00000000 if the operation was a success; otherwise, return a nonzero error code.
If the value pointed to by the pClaimOperations parameter is any other value of AUTHZ_SECURITY_ATTRIBUTE_OPERATION, perform the steps prescribed after the next paragraph.
The RAZA server MUST perform the following steps on each element in the pClaimOperations array as indicated by OperationCount:
If the element is not the first element and the value is AUTHZ_SECURITY_ATTRIBUTE_OPERATION_NONE or AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL, the RAZA server MUST return a nonzero error code. The case in which the first element is one of these values is described above.
If the element is AUTHZ_SECURITY_ATTRIBUTE_OPERATION_ADD, append the corresponding element in the pClaims Attributes array to the ImpersonationAccessToken array identified according to the following table.
If the element is AUTHZ_SECURITY_ATTRIBUTE_OPERATION_DELETE, search the ImpersonationAccessToken array identified according to the following table for a member whose Value member equals the Value member of the corresponding element of the Attributes array in the pClaims parameter. If one is found, delete that element from the identified ImpersonationAccessToken array and free any memory associated with that element.
If the element is AUTHZ_SECURITY_ATTRIBUTE_OPERATION_REPLACE, search the ImpersonationAccessToken array identified according to the following table for a member whose Value member equals the Value member of the corresponding element of the Attributes array in the pClaims parameter.
If the attribute is located, replace the Values member of the located attribute with the replacement Values member, which is located in the corresponding Attributes array element in the Attributes member of pClaims. If the replacement Values member does not exist, the located attribute is deleted.
If the attribute is not located, it is added using the replacement Values member, which is located in the corresponding Attributes array element in the Attributes member of pClaims. If the replacement Values member does not exist, the operation is ignored and no failure is reported.
ClaimClass parameter value
Corresponding ImpersonationAccessToken array
AuthzContextInfoUserClaims
ImpersonationAccessToken.Claims
AuthzContextInfoDeviceClaims
ImpersonationAccessToken.DeviceClaims