XXXAccessCheck and Callback+Object ACE Types
 

hi

I'm creating object trees with different properties which also have different
permissions. Because this can depend on several other things, I also want to
use callback.

The AuthZ API with
AuthzInitializeResourceManager and AuthzCachedAccessCheck
looks good for me because AccessCheckXXXX do not seem to provide a callback
routine.


AuthzAccessCheck calls my callback funct if an ACE of type
ACCESS_ALLOWED_CALLBACK_ACE_TYPE is available -> added by AddAce
If an ACE of type ACCESS_ALLOWED_OBJECT_ACE_TYPE is available the object's
GUID is checked correctly -> added by AddAccessAllowedObjectAce

However:
If I add an ACE of type ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE (object +
callback) using AddAce (I could not find a function like
AddAccessAllowedCallbackObjectAce)
nothing happens and access is denied at all.
??? A possible solution may be to use AddAccessAllowedCallbackObjectAce and
then manipulate the type of the ACE?????

I'm using a library in Pascal that I created myself so I cannot give a single
example. But If you insist I will post the essential parts. But maybe
AccessCheck does not support such ACE types?

PS.
Did you know that AddAce seems to corrupt the ACL if one try to add a simple
object ACE? RtlValidACL returns false after the call to AddAce.
Using AddAccessAllowedObjectAce solves the problem. However:
ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE can be added by AddAce.

PPS.
I'm using Windows Vista 32bit (no SP). I do not consider the Windowsversion
as the source of problems (it should work with >=XP)

PPPS
Post in msdn forum
http://forums.microsoft.com/MSDN/Sho...67084&SiteID=1


Thanks for reply
----

Aus Faulheit poste ich hier in englisch, da ich es schon überall eigentlich gepostet habe. Man kann mir aber auch auf deutsch anwtorten.