Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The following functions are used with authorization applications.
In this section
| Topic | Description |
|---|---|
| AccessCheck |
Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token. |
| AccessCheckAndAuditAlarm |
Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. |
| AccessCheckByType |
Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token. |
| AccessCheckByTypeAndAuditAlarm |
Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. |
| AccessCheckByTypeResultList |
Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token. |
| DeriveCapabilitySidsFromName |
This function constructs two arrays of SIDs out of a capability name. One is an array group SID with NT Authority, and the other is an array of capability SIDs with AppAuthority. |
| AccessCheckByTypeResultListAndAuditAlarm |
Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. |
| AccessCheckByTypeResultListAndAuditAlarmByHandle |
Determines whether a security descriptor grants a specified set of access rights to the client that the calling thread is impersonating. |
| AddAccessAllowedAce |
Adds an access-allowed access control entry (ACE) to an access control list (ACL). The access is granted to a specified security identifier (SID). |
| AddAccessAllowedAceEx |
Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL). |
| AddAccessAllowedObjectAce |
Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL). |
| AddAccessDeniedAce |
Adds an access-denied access control entry (ACE) to an access control list (ACL). The access is denied to a specified security identifier (SID). |
| AddAccessDeniedAceEx |
Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL). |
| AddAccessDeniedObjectAce |
Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL). The new ACE can deny access to an object, or to a property set or property on an object. |
| AddAce |
Adds one or more access control entries (ACEs) to a specified access control list (ACL). |
| AddAuditAccessAce |
Adds a system-audit access control entry (ACE) to a system access control list (ACL). The access of a specified security identifier (SID) is audited. |
| AddAuditAccessAceEx |
Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL). |
| AddAuditAccessObjectAce |
Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL). |
| AddConditionalAce |
Adds a conditional access control entry (ACE) to the specified access control list (ACL). |
| AddMandatoryAce |
Adds a SYSTEM_MANDATORY_LABEL_ACE access control entry (ACE) to the specified system access control list (SACL). |
| AddResourceAttributeAce |
Adds a SYSTEM_RESOURCE_ATTRIBUTE_ACEaccess control entry (ACE) to the end of a system access control list (SACL). |
| AddScopedPolicyIDAce |
Adds a SYSTEM_SCOPED_POLICY_ID_ACEaccess control entry (ACE) to the end of a system access control list (SACL). |
| AdjustTokenGroups |
Enables or disables groups already present in the specified access token. Access to TOKEN_ADJUST_GROUPS is required to enable or disable groups in an access token. |
| AdjustTokenPrivileges |
Enables or disables privileges in the specified access token. Enabling or disabling privileges in an access token requires TOKEN_ADJUST_PRIVILEGES access. |
| AllocateAndInitializeSid |
Allocates and initializes a security identifier (SID) with up to eight subauthorities. |
| AllocateLocallyUniqueId |
Allocates a locally unique identifier (LUID). |
| AreAllAccessesGranted |
Checks whether a set of requested access rights has been granted. The access rights are represented as bit flags in an access mask. |
| AreAnyAccessesGranted |
Tests whether any of a set of requested access rights has been granted. The access rights are represented as bit flags in an access mask. |
| AuditComputeEffectivePolicyBySid |
Computes the effective audit policy for one or more subcategories for the specified security principal. The function computes effective audit policy by combining system audit policy with per-user policy. |
| AuditComputeEffectivePolicyByToken |
Computes the effective audit policy for one or more subcategories for the security principal associated with the specified token. The function computes effective audit policy by combining system audit policy with per-user policy. |
| AuditEnumerateCategories |
Enumerates the available audit-policy categories. |
| AuditEnumeratePerUserPolicy |
Enumerates users for whom per-user auditing policy is specified. |
| AuditEnumerateSubCategories |
Enumerates the available audit-policy subcategories. |
| AuditFree |
Frees the memory allocated by audit functions for the specified buffer. |
| AuditLookupCategoryGuidFromCategoryId |
Retrieves a GUID structure that represents the specified audit-policy category. |
| AuditLookupCategoryIdFromCategoryGuid |
Retrieves an element of the POLICY_AUDIT_EVENT_TYPE enumeration that represents the specified audit-policy category. |
| AuditLookupCategoryName |
Retrieves the display name of the specified audit-policy category. |
| AuditLookupSubCategoryName |
Retrieves the display name of the specified audit-policy subcategory. |
| AuditQueryGlobalSacl |
retrieves a global system access control list (SACL) that delegates access to the audit messages. |
| AuditQueryPerUserPolicy |
Retrieves per-user audit policy in one or more audit-policy subcategories for the specified principal. |
| AuditQuerySecurity |
Retrieves security descriptor that delegates access to audit policy. |
| AuditQuerySystemPolicy |
Retrieves system audit policy for one or more audit-policy subcategories. |
| AuditSetGlobalSacl |
sets a global system access control list (SACL) that delegates access to the audit messages. |
| AuditSetPerUserPolicy |
Sets per-user audit policy in one or more audit subcategories for the specified principal. |
| AuditSetSecurity |
Sets a security descriptor that delegates access to audit policy. |
| AuditSetSystemPolicy |
Sets system audit policy for one or more audit-policy subcategories. |
| AuthzAccessCheck |
Determines which access bits can be granted to a client for a given set of security descriptors. |
| AuthzAccessCheckCallback |
An application-defined function that handles callback access control entries (ACEs) during an access check. AuthzAccessCheckCallback is a placeholder for the application-defined function name. The application registers this callback by calling AuthzInitializeResourceManager. |
| AuthzAddSidsToContext |
Creates a copy of an existing context and appends a given set of security identifiers (SIDs) and restricted SIDs. |
| AuthzCachedAccessCheck |
Performs a fast access check based on a cached handle containing the static granted bits from a previous AuthzAccessCheck call. |
| AuthzComputeGroupsCallback |
An application-defined function that creates a list of security identifiers (SIDs) that apply to a client. AuthzComputeGroupsCallback is a placeholder for the application-defined function name. |
| AuthzEnumerateSecurityEventSources |
Retrieves the registered security event sources that are not installed by default. |
| AuthzFreeAuditEvent |
Frees the structure allocated by the AuthzInitializeObjectAccessAuditEvent function. |
| AuthzFreeCentralAccessPolicyCache |
Decreases the CAP cache reference count by one so that the CAP cache can be deallocated. |
| AuthzFreeCentralAccessPolicyCallback |
The AuthzFreeCentralAccessPolicyCallback function is an application-defined function that frees memory allocated by the AuthzGetCentralAccessPolicyCallback function. AuthzFreeCentralAccessPolicyCallback is a placeholder for the application-defined function name. |
| AuthzFreeContext |
Frees all structures and memory associated with the client context. The list of handles for a client is freed in this call. |
| AuthzFreeGroupsCallback |
An application-defined function that frees memory allocated by the AuthzComputeGroupsCallback function. AuthzFreeGroupsCallback is a placeholder for the application-defined function name. |
| AuthzFreeHandle |
Finds and deletes a handle from the handle list. |
| AuthzFreeResourceManager |
Frees a resource manager object. |
| AuthzGetCentralAccessPolicyCallback |
The AuthzGetCentralAccessPolicyCallback function is an application-defined function that retrieves the central access policy. AuthzGetCentralAccessPolicyCallback is a placeholder for the application-defined function name. |
| AuthzGetInformationFromContext |
Returns information about an Authz context. |
| AuthzInitializeCompoundContext |
creates a user-mode context from the given user and device security contexts. |
| AuthzInitializeContextFromAuthzContext |
Creates a new client context based on an existing client context. |
| AuthzInitializeContextFromSid |
Creates a user-mode client context from a user security identifier (SID). |
| AuthzInitializeContextFromToken |
Initializes a client authorization context from a kernel token. The kernel token must have been opened for TOKEN_QUERY. |
| AuthzInitializeObjectAccessAuditEvent |
Initializes auditing for an object. |
| AuthzInitializeObjectAccessAuditEvent2 |
Allocates and initializes an AUTHZ_AUDIT_EVENT_HANDLE handle for use with the AuthzAccessCheck function. |
| AuthzInitializeRemoteResourceManager |
Allocates and initializes a remote resource manager. The caller can use the resulting handle to make RPC calls to a remote instance of the resource manager configured on a server. |
| AuthzInitializeResourceManager |
Uses Authz to verify that clients have access to various resources. |
| AuthzInitializeResourceManagerEx |
Allocates and initializes a resource manager structure. |
| AuthzInstallSecurityEventSource |
Installs the specified source as a security event source. |
| AuthzModifyClaims |
Adds, deletes, or modifies user and device claims in the Authz client context. |
| AuthzModifySecurityAttributes |
Modifies the security attribute information in the specified client context. |
| AuthzModifySids |
Adds, deletes, or modifies user and device groups in the Authz client context. |
| AuthzOpenObjectAudit |
Reads the system access control list (SACL) of the specified security descriptor and generates any appropriate audits specified by that SACL. |
| AuthzRegisterCapChangeNotification |
Registers a CAP update notification callback. |
| AuthzRegisterSecurityEventSource |
Registers a security event source with the Local Security Authority (LSA). |
| AuthzReportSecurityEvent |
Generates a security audit for a registered security event source. |
| AuthzReportSecurityEventFromParams |
Generates a security audit for a registered security event source by using the specified array of audit parameters. |
| AuthzSetAppContainerInformation |
Sets the app container and capability information in a current Authz context. |
| AuthzUninstallSecurityEventSource |
Removes the specified source from the list of valid security event sources. |
| AuthzUnregisterCapChangeNotification |
Removes a previously registered CAP update notification callback. |
| AuthzUnregisterSecurityEventSource |
Unregisters a security event source with the Local Security Authority (LSA). |
| BuildExplicitAccessWithName |
Initializes an EXPLICIT_ACCESS structure with data specified by the caller. The trustee is identified by a name string. |
| BuildImpersonateExplicitAccessWithName |
The BuildImpersonateExplicitAccessWithName function is not supported. |
| BuildImpersonateTrustee |
The BuildImpersonateTrustee function is not supported. |
| BuildSecurityDescriptor |
Allocates and initializes a new security descriptor. |
| BuildTrusteeWithName |
Initializes a TRUSTEE structure. The caller specifies the trustee name. The function sets other members of the structure to default values. |
| BuildTrusteeWithObjectsAndName |
Initializes a TRUSTEE structure with the object-specific access control entry (ACE) information and initializes the remaining members of the structure to default values. The caller also specifies the name of the trustee. |
| BuildTrusteeWithObjectsAndSid |
Initializes a TRUSTEE structure with the object-specific access control entry (ACE) information and initializes the remaining members of the structure to default values. The caller also specifies the SID structure that represents the security identifier of the trustee. |
| BuildTrusteeWithSid |
Initializes a TRUSTEE structure. The caller specifies the security identifier (SID) of the trustee. The function sets other members of the structure to default values and does not look up the name associated with the SID. |
| CheckTokenCapability |
Checks the capabilities of a given token. |
| CheckTokenMembership |
Determines whether a specified security identifier (SID) is enabled in an access token. |
| CheckTokenMembershipEx |
Determines whether the specified SID is enabled in the specified token. |
| ConvertSecurityDescriptorToStringSecurityDescriptor |
Converts a security descriptor to a string format. You can use the string format to store or transmit the security descriptor. |
| ConvertSidToStringSid |
Converts a security identifier (SID) to a string format suitable for display, storage, or transmission. |
| ConvertStringSecurityDescriptorToSecurityDescriptor |
Converts a string-format security descriptor into a valid, functional security descriptor. |
| ConvertStringSidToSid |
Converts a string-format security identifier (SID) into a valid, functional SID. You can use this function to retrieve a SID that the ConvertSidToStringSid function converted to string format. |
| ConvertToAutoInheritPrivateObjectSecurity |
Converts a security descriptor and its |