Adding SIDs to a Client Context
An application can add security identifiers (SIDs) to an existing client context by calling the AuthzAddSidsToContext function. The AuthzAddSidsToContext function allows an application to specify both a list of SIDs and a list of restricting SIDs to the specified client context.
The system uses the list of restricting SIDs when it checks the token's access to a securable object. When a restricted process or thread tries to access a securable object, the system performs two access checks: one using the token's enabled SIDs, and another using the list of restricting SIDs. Access is granted only if both access checks allow the requested access rights.
Attribute variables must be in the form of an expression when used with logical operators; otherwise, they are evaluated as unknown.
Example
The following example adds a SID and a restricting SID to the client context created by the example in Initializing a Client Context.
BOOL AddSidsToContext(AUTHZ_CLIENT_CONTEXT_HANDLE *phClientContext)
{
AUTHZ_CLIENT_CONTEXT_HANDLE NewContext = NULL;
PSID pEveryoneSid = NULL;
PSID pLocalSid = NULL;
SID_AND_ATTRIBUTES Sids;
SID_AND_ATTRIBUTES RestrictedSids;
DWORD SidCount = 0;
DWORD RestrictedSidCount = 0;
//Create a PSID from the "Everyone" well-known SID.
if(!ConvertStringSidToSid(L"S-1-1-0", &pEveryoneSid))
{
printf_s("ConvertStringSidToSid failed with %d\n", GetLastError());
return FALSE;
}
//Create a PSID from the "Local" well-known SID.
if(!ConvertStringSidToSid(L"S-1-2-0", &pLocalSid))
{
printf_s("ConvertStringSidToSid failed with %d\n", GetLastError);
return FALSE;
}
//Set the members of the SID_AND_ATTRIBUTES structure to be added.
Sids.Sid = pEveryoneSid;
Sids.Attributes = SE_GROUP_ENABLED;
//Set the members of the SID_AND_ATTRIBUTES structure for the restricting SID.
RestrictedSids.Sid = pLocalSid;
RestrictedSids.Attributes = SE_GROUP_ENABLED;
//Create a new context with the new "Everyone" SID and "Local" restricting SID.
if(!AuthzAddSidsToContext(
*phClientContext,
&Sids,
1,
&RestrictedSids,
1,
&NewContext))
{
printf_s("AuthzAddSidsToContext failed with %d\n", GetLastError());
if(pEveryoneSid)
{
FreeSid(pEveryoneSid);
}
if(pLocalSid)
{
FreeSid(pLocalSid);
}
return FALSE;
}
if(pEveryoneSid)
{
FreeSid(pEveryoneSid);
}
if(pLocalSid)
{
FreeSid(pLocalSid);
}
AuthzFreeContext(*phClientContext);
*phClientContext = NewContext;
return TRUE;
}
Related topics