Microsoft KB Archive/115945

{|
 * width="100%"|

INFO: Determining the Maximum Allowed Access for an Object

 * }

Q115945

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), used with:
 * the operating system: Microsoft Windows NT, versions 3.1, 3.5
 * the operating system: Microsoft Windows 2000

-

SUMMARY
The AccessCheck API call can be used to determine the maximum access to an object allowed for a subject. (In this article, a subject means a program running in a specific user's security context.) When using AccessCheck for this purpose, perform the following steps:


 * 1) Obtain a security descriptor that has owner, group, and DACL information.
 * 2) If you are not impersonating a client, obtain an impersonation token by calling ImpersonateSelf. This token is passed as the client token in the AccessCheck call.
 * 3) Create a generic mapping structure. The contents of this structure will vary depending on the object being used.
 * 4) Call AccessCheck and request "MAXIMUM_ALLOWED" as the desired access.

If the AccessCheck call succeeds after the above steps have been completed, the dwGrantedAccess parameter to AccessCheck contains a mask of the object-specific rights that are granted by the security descriptor.

MORE INFORMATION
In most situations, you should not use this method of access determination. If you need access to an object to perform a task, simply try to open the object using the required access.

The AccessCheck API is mainly intended for use with private objects created by an application. However, it can be used with predefined objects. The generic mapping values and specific rights for many of the predefined objects (files and so forth) may be found in WINNT.H.