Determining the Maximum Allowed Access for an Object

 Last reviewed: September 25, 1995
Article ID: Q115945
The information in this article applies to:
  • Microsoft Win32 Application Programming Interface (API) included with: 

        - Microsoft Windows NT versions 3.1 and 3.5

SUMMARY

The AccessCheck() API call can be used to determine the maximum access to an object allowed for a subject. (In this article, a subject means a program running in a specific user's security context.) When using AccessCheck() for this purpose, perform the following steps:

  1. Obtain a security descriptor that has owner, group, and DACL information.

  2. If you are not impersonating a client, obtain an impersonation token by calling ImpersonateSelf. This token is passed as the client token in the AccessCheck() call.

  3. Create a generic mapping structure. The contents of this structure will vary depending on the object being used.

  4. Call AccessCheck() and request "MAXIMUM_ALLOWED" as the desired access.

If the AccessCheck() call succeeds after the above steps have been completed, the dwGrantedAccess parameter to AccessCheck() contains a mask of the object-specific rights that are granted by the security descriptor.

MORE INFORMATION

In most situations, you should not use this method of access determination. If you need access to an object to perform a task, simply try to open the object using the required access.

The AccessCheck() API is mainly intended for use with private objects created by an application. However, it can be used with predefined objects. The generic mapping values and specific rights for many of the predefined objects (files and so forth) may be found in WINNT.H.

REFERENCES

Please see the Security Overview in the "Win32 Programmer's Reference" and the "Win32 SDK API Reference" for more information.

Additional reference words: 3.10 3.50
KBCategory: kbprg
KBSubcategory: BseSecurity

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: September 25, 1995
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.