AuthzCachedAccessCheck function

The AuthzCachedAccessCheck function performs a fast access check based on a cached handle containing the static granted bits from a previous AuthzAccessCheck call.

Syntax

C++


BOOL WINAPI AuthzCachedAccessCheck(
  _In_  DWORD                             Flags,
  _In_  AUTHZ_ACCESS_CHECK_RESULTS_HANDLE AuthzHandle,
  _In_  PAUTHZ_ACCESS_REQUEST             pRequest,
  _In_  AUTHZ_AUDIT_EVENT_HANDLE          AuditInfo,
  _Out_ PAUTHZ_ACCESS_REPLY               pReply
);

Parameters

Flags [in]: Reserved for future use.
AuthzHandle [in]: A handle to the cached access check results.
pRequest [in]: Access request handle specifying the desired access mask, principal self SID, and the object type list structure (if any).
AuditInfo [in]: A structure that contains object-specific audit information. When the value of this parameter is not null, an audit is automatically requested. Static audit information is read from the resource manager structure.
pReply [out]: A pointer to an AUTHZ_ACCESS_REPLY handle that returns the results of access check as an array of GrantedAccessMask/ErrorValue pairs. The number of pairs returned is supplied by the caller in the ResultListLength member of the AUTHZ_ACCESS_REPLY structure.

Return value

If the function succeeds, it returns TRUE.

If the function fails, it returns FALSE. To get extended error information, call GetLastError.

Expected values of the Error members of array elements returned are shown in the following table.

Return code	Description
ERROR_SUCCESS	All the access bits, not including MAXIMUM_ALLOWED, are granted and the GrantedAccessMask member of the pReply parameter is not zero.
ERROR_PRIVILEGE_NOT_HELD	The DesiredAccess member of the pRequest parameter includes ACCESS_SYSTEM_SECURITY, and the client does not have the SeSecurityPrivilege privilege.
ERROR_ACCESS_DENIED	One or more of the following is true: The requested bits are not granted. The MaximumAllowed bit is on, and the granted access is zero. The DesiredAccess member of the pRequest parameter is zero.

Return code

Description

ERROR_SUCCESS

All the access bits, not including MAXIMUM_ALLOWED, are granted and the GrantedAccessMask member of the pReply parameter is not zero.

ERROR_PRIVILEGE_NOT_HELD

The DesiredAccess member of the pRequest parameter includes ACCESS_SYSTEM_SECURITY, and the client does not have the SeSecurityPrivilege privilege.

ERROR_ACCESS_DENIED

One or more of the following is true:

The requested bits are not granted.
The MaximumAllowed bit is on, and the granted access is zero.
The DesiredAccess member of the pRequest parameter is zero.

Remarks

The client context pointer is stored in the AuthzHandle parameter. The structure of the client context must be exactly the same as it was at the time AuthzHandle was created. This restriction is for the following fields:

SIDs
RestrictedSids
Privileges

Pointers to the primary security descriptor and the optional security descriptor array are stored in AuthzHandle at the time of handle creation. These pointers must still be valid.

The AuthzCachedAccessCheck function maintains a cache as a result of evaluating Central Access Policies (CAP) on objects unless CAPs are ignored, for example when the AUTHZ_RM_FLAG_NO_CENTRAL_ACCESS_POLICIES flag is used. The client may call the AuthzFreeCentralAccessPolicyCache function to free up this cache. Note that this requires a subsequent call to AuthzCachedAccessCheck to rebuild the cache if necessary.

For more information, see the How AccessCheck Works and Centralized Authorization Policy overviews.

Requirements

Minimum supported client	Windows XP [desktop apps only]
Minimum supported server	Windows Server 2003 [desktop apps only]
Redistributable	Windows Server 2003 Administration Tools Pack on Windows XP
Header	Authz.h
Library	Authz.lib
DLL	Authz.dll

Deutsch	English	Español	Français
Italiano	日本語	한국어	Português
Pусский	简体中文	繁體中文