Application Security, Part 28

  • Article

Now, the Windows Server 2003 Authorization Manager exposes a COM API, which has the unfortunate name, AzMan, that can be used to query the authorization store at run-time to identify the operations that a current user is permitted to perform. Specifically, AzMan exposes a method, AccessCheck.

 

 

aiOperations[0] = 55;

aiOperations[1] = 76;

abyResults = rAzMan.AccessCheck("Some Action", null, aiOperations, null, null);

If(abyResults[0] == 0) // Zero = NO ERROR

{

sResult = "Access granted.";

}

Else

{

sResult = "Denied access." ;

}

 

The first parameter passed to AccessCheck can be any non-empty string, and is used merely to identify an audit entry that AccessCheck will create as a record of its invocation. The other parameter that AccessCheck requires is an array with the identifiers of one or more operations, the operations for which one would like to determine whether or the current user has authorization to perform them. AccessCheck returns an array of numbers, equal in size to the array of operations. An operation is authorized if and only if the number with the matching index in the array of returned numbers is zero.