Location: Symbol Reference > Classes > TJwSecureGeneralObject Class > TJwSecureGeneralObject Methods > TJwSecureGeneralObject.AccessCheckByTypeResultList Method
Collapse All
JWSCL Documentation
ContentsIndexHome
PreviousUpNext
TJwSecureGeneralObject.AccessCheckByTypeResultList Method
TJwSecureGeneralObject Class  TJwSecureGeneralObject Members  TJwSecureGeneralObject Methods  Send Feedback
Pascal
class procedure AccessCheckByTypeResultList(const SecurityDescriptor: TJwSecurityDescriptor; const PrincipalSelfSid: TJwSecurityID; const ClientToken: TJwSecurityToken; const DesiredAccess: TJwAccessMask; var ObjectTypeArray: TJwObjectTypeArray; const GenericMapping: TJwSecurityGenericMappingClass; out PrivilegeSet: TJwPrivilegeSet; out GrantedAccess: TJwAccessMaskArray; out AccessStatus: TJwCardinalArray); override;
Parameters
Parameters 
Description 
const SecurityDescriptor: TJwSecurityDescriptor 
defines the primary SD which is used to perfom access checking. The owner and group must not be nil; otherwise the call will fail.
 
const PrincipalSelfSid: TJwSecurityID 
defines a SID that is used to replace a principle self sid found in an inherited ACE. A principle self SID (S-1-5-10) in a ACE will be replaced by this property SID. Can be nil if not used. 
const ClientToken: TJwSecurityToken 
A token that is used to get the SID and privileges which are used to check against the security descriptor. The parameter can be nil to use the current thread or process token.

In contrast to the original AccessCheck API function, this method automatically adjusts the token type to "impersonation" if the given token is a primary one. This prevents the error ERROR_NO_IMPERSONATION_TOKEN (1309). If ClientToken is not nil it makes a copy of ClientToken and converts it to a thread token. If ClientToken is nil, it retrieves the current thread or primary token (if no thread token is available) and, in the latter case, converts it to a thread token. Furthermore this method does not impersonate any token and thus leaves an already existing thread token intact.
 
const DesiredAccess: TJwAccessMask 
Defines the desired access to the object.
New
Although the MSDN AccessCheck forbids generic rights (like GENERIC_ALL) in this Parameter. The method AccessCheck will replace all generic rights with specific rights using the mapping defined by parameter GenericMapping. However the original SecurityDescriptor will remain the same. Warning Some generic access rights may overlap. This can lead to access denied.
Example
DACL contains a positive ACE with GENERIC_WRITE and a negative ACE with GENERIC_READ
A call to AccessCheck with DesiredAccess set to GENERIC_WRITE and GenericMapping set to TJwSecurityFileMapping (using FileGenericMapping) will fail because GENERIC_WRITE and GENERIC_READ are resolve to FILE_GENERIC_WRITE and FILE_GENERIC_READ which both contain SYNCHRONIZE ($100000) and READ_CONTROL ($2000).
 
var ObjectTypeArray: TJwObjectTypeArray 
defines an array of object properties. The Level of the objects must comply to some rules.  
const GenericMapping: TJwSecurityGenericMappingClass 
Receives a class type of the class TJwSecurityGenericMapping or one of her derived classes. If the generic class TJwSecurityGenericMapping is used, all generic access rights are mapped to standard access rights (STANDARD_RIGHTS_READ...STANDARD_RIGHTS_ALL). Use only access rights in parameter DesiredAccess that are mapped by the given TJwSecurityGenericMappingClass class; otherwise AccessChec will fail with EJwsclWinCallFailedException. E.g. TJwSecurityGenericMappingClass can be used with DesiredAccess set to STANDARD_RIGHTS_ALL.
New
All access entriey (ACEs) in the security descriptor DACL are scanned for GENERIC access rights (like GENERIC_ALL) and automatically converted to specific rights using parameter GenericMapping. However the original SecurityDescriptor will remain the same. This will not happen, if nil is supplied to this parameter. Make sure there are no generic rights in the ACL or DesiredAccess parameter.
 
out PrivilegeSet: TJwPrivilegeSet 
receives the privileges that are used for access check. If none are used, this output will be nil. The caller is responsible for destroying the object! 
out GrantedAccess: TJwAccessMaskArray 
receives an array of access mask that indicates which rights were granted. The count of elements is the same as length of ObjectTypeArray. 
out AccessStatus: TJwCardinalArray 
receives an array of return codes which defines why a check failed. The count of elements is the same as length of ObjectTypeArray. 
Description

AccessCheckByTypeResultList does an access check of an object with properties.

Exceptions
Exceptions 
Description 
EJwsclInvalidParameterException 
will be raised if parameter SecurityDescriptor is nil.
 
EJwsclWinCallFailedException 
will be raised if the call to AccessCheck failed. will be raised if parameter ObjectTypeArray is nil. if a call to AccessCheckByTypeResultList failed. 
EJwsclInvalidObjectArrayException 
will be raised if parameter ObjectTypeArray contains invalid members. See this parameter for more information. 
EJwsclInvalidOwnerSIDException 
will be raised if the owner of the security descriptor is nil. Use JwNullSID to remove influence of owner to AccessCheck call. 
EJwsclInvalidGroupSIDException 
will be raised if the group of the security descriptor is nil. Use JwNullSID to remove influence of group to AccessCheck call.
 
EJwsclNILParameterException 
will be raised if parameter Request, SecurityDescriptor or Request.PrincipalSelfSid is nil 
Group
Links
Copyright (c) 2010. All rights reserved.
This help was created by Doc-O-Matic sponsored by toolsfactory software inc.
Contents | Index | Home
What do you think about this topic? Send feedback!