IObjectAccessControl::IsObjectAccessAllowed

Determines whether the given trustee has specific permissions (access rights) to the database object.

HRESULT IsObjectAccessAllowed ( 
   SEC_OBJECT *         pObject,
   EXPLICIT_ACCESS *    pAccessEntry,
   BOOL *               pfResult
);

Parameters

pObject

[in]
Address of an initialized SEC_OBJECT structure that indicates the database object on which permissions are to be checked.

pAccessEntry

[in]
Address of an initialized EXPLICIT_ACCESS structure that indicates the TRUSTEE and the permissions to check.

pfResult

[out]
Address of a BOOL variable that receives the result of the check.

Return Code

S_OK

The method succeeded, whether the TRUSTEE has the permissions requested or not.

SEC_E_PERMISSIONDENIED

Caller does not have enough permission to complete the operation.

SEC_E_INVALIDACCESSENTRY

One or more permissions in the grfAccessPermissions element of the EXPLICIT_ACCESS structure are invalid.

SEC_E_INVALIDOBJECT

The object that was supplied is invalid or unknown to the provider.

E_INVALIDARG

pObject, pAccessEntry, or pfResult was a null pointer.

E_FAIL

A provider-specific error occurred.

Comments

The caller initializes pObject to specify the database object being examined. See SEC_OBJECT for an explanation on initializing this structure.

The provider determines whether the trustee has all of the permissions specified in the grfAccessPermissions entry in the EXPLICIT_ACCESS structure given in pAccessEntry. When it has determined that each permission requested is allowed and not denied, the provider sets the BOOLEAN variable pointed to by *pfResult to TRUE. Otherwise, if any permission is denied or not specifically allowed, the provider sets *pfResult to FALSE.

The provider is permitted, while determining whether access is allowed, to use additional information related to the security attributes for the specified trustee. This includes any roles or groups of which the trustee is a member. The information used need not be given in the parameters to this method. The exact implementation of this is left to the provider.

For example, the consumer calls the provider to determine whether GENERIC_READ permission is allowed for trustee NewUser on the data source object NewTable. The provider checks the access control entry lists for NewTable and determines that NewUser does not have a GRANT_ACCESS entry for the GENERIC_READ permission. The provider also determines that NewUser does not have a DENY_ACCESS entry at all. If this were all the information provided in this call to the provider, NewUser would be denied read access to NewTable. However, the provider is allowed to check any groups to which NewUser belongs. The provider finds that NewUser is a member of the group trustee NewGroup. The provider checks the access control entry lists for NewTable and determines that NewGroup does have a SET_ACCESS entry for both GENERIC_READ and GENERIC_WRITE permissions, and after completing its check, the provider finds no DENY_ACCESS entries. Therefore, the provider chooses to allow NewUser to read NewTable and sets *pfResult to TRUE.

See Also

EXPLICIT_ACCESS, IObjectAccessControl, IObjectAccessControl::GetObjectAccessRights, IObjectAccessControl::SetObjectAccessRights, SEC_OBJECT, TRUSTEE