//+-------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1993-1998.
//
// File: accctrl.h
//
// Contents: common includes for new style Win32 Access Control
// APIs
//
//
//--------------------------------------------------------------------
#ifndef __ACCESS_CONTROL__
#define __ACCESS_CONTROL__
#ifndef __midl
#include <wtypes.h>
#endif
;begin_both
#ifdef __cplusplus
extern "C" {
#endif
;end_both
#define AccFree LocalFree
//
// Definition:
// This enumerated type defines the objects supported by the get/set API within
// this document. See section 3.1, Object Types for a detailed definition of the
// supported object types, and their name formats.
//
typedef enum _SE_OBJECT_TYPE
{
SE_UNKNOWN_OBJECT_TYPE = 0,
SE_FILE_OBJECT,
SE_SERVICE,
SE_PRINTER,
SE_REGISTRY_KEY,
SE_LMSHARE,
SE_KERNEL_OBJECT,
SE_WINDOW_OBJECT,
SE_DS_OBJECT,
SE_DS_OBJECT_ALL,
SE_PROVIDER_DEFINED_OBJECT,
SE_WMIGUID_OBJECT,
SE_REGISTRY_WOW64_32KEY
} SE_OBJECT_TYPE;
//
// Definition: TRUSTEE_TYPE
// This enumerated type specifies the type of trustee account for the trustee
// returned by the API described in this document.
// TRUSTEE_IS_UNKNOWN - The trustee is an unknown, but not necessarily invalid
// type. This field is not validated on input to the APIs
// that take Trustees.
// TRUSTEE_IS_USER The trustee account is a user account.
// TRUSTEE_IS_GROUP The trustee account is a group account.
//
typedef enum _TRUSTEE_TYPE
{
TRUSTEE_IS_UNKNOWN,
TRUSTEE_IS_USER,
TRUSTEE_IS_GROUP,
TRUSTEE_IS_DOMAIN,
TRUSTEE_IS_ALIAS,
TRUSTEE_IS_WELL_KNOWN_GROUP,
TRUSTEE_IS_DELETED,
TRUSTEE_IS_INVALID,
TRUSTEE_IS_COMPUTER
} TRUSTEE_TYPE;
//
// Definition: TRUSTEE_FORM
// This enumerated type specifies the form the trustee identifier is in for a
// particular trustee.
// TRUSTEE_IS_SID The trustee is identified with a SID rather than with a name.
// TRUSTEE_IS_NAME The trustee is identified with a name.
//
typedef enum _TRUSTEE_FORM
{
TRUSTEE_IS_SID,
TRUSTEE_IS_NAME,
TRUSTEE_BAD_FORM,
TRUSTEE_IS_OBJECTS_AND_SID,
TRUSTEE_IS_OBJECTS_AND_NAME
} TRUSTEE_FORM;
//
// Definition: MULTIPLE_TRUSTEE_OPERATION
// If the trustee is a multiple trustee, this enumerated type specifies the type.
// TRUSTEE_IS_IMPERSONATE The trustee is an impersonate trustee and the multiple
// trustee field in the trustee points to another trustee
// that is a trustee for the server that will be doing the
// impersonation.
//
typedef enum _MULTIPLE_TRUSTEE_OPERATION
{
NO_MULTIPLE_TRUSTEE,
TRUSTEE_IS_IMPERSONATE,
} MULTIPLE_TRUSTEE_OPERATION;
typedef struct _OBJECTS_AND_SID
{
DWORD ObjectsPresent;
GUID ObjectTypeGuid;
GUID InheritedObjectTypeGuid;
SID * pSid;
} OBJECTS_AND_SID, *POBJECTS_AND_SID;
typedef struct _OBJECTS_AND_NAME_%
{
DWORD ObjectsPresent;
SE_OBJECT_TYPE ObjectType;
LPTSTR% ObjectTypeName;
LPTSTR% InheritedObjectTypeName;
LPTSTR% ptstrName;
} OBJECTS_AND_NAME_%, *POBJECTS_AND_NAME_%;
//
// Definition: TRUSTEE
// This structure is used to pass account information into and out of the system
// using the API defined in this document.
// PMultipleTrustee - if NON-NULL, points to another trustee structure, as
// defined by the multiple trustee operation field.
// MultipleTrusteeOperation - Defines the multiple trustee operation/type.
// TrusteeForm - defines if the trustee is defined by name or SID.
// TrusteeType - defines if the trustee type is unknown, a user or a group.
// PwcsName - points to the trustee name or the trustee SID.
//
typedef struct _TRUSTEE_%
{
struct _TRUSTEE_% *pMultipleTrustee;
MULTIPLE_TRUSTEE_OPERATION MultipleTrusteeOperation;
TRUSTEE_FORM TrusteeForm;
TRUSTEE_TYPE TrusteeType;
#ifdef __midl
[switch_is(TrusteeForm)]
union
{
[case(TRUSTEE_IS_NAME)]
LPTSTR% ptstrName;
[case(TRUSTEE_IS_SID)]
SID *pSid;
[case(TRUSTEE_IS_OBJECTS_AND_SID)]
OBJECTS_AND_SID *pObjectsAndSid;
[case(TRUSTEE_IS_OBJECTS_AND_NAME)]
OBJECTS_AND_NAME_% *pObjectsAndName;
};
#else
LPTSTR% ptstrName;
#endif
} TRUSTEE_%, *PTRUSTEE_%, TRUSTEE%, *PTRUSTEE%;
//
// Definition: ACCESS_MODE
// This enumerated type specifies how permissions are (requested)/to be applied
// for the trustee by the access control entry. On input this field can by any
// of the values, although it is not meaningful to mix access control and audit
// control entries. On output this field will be either SET_ACCESS, DENY_ACCESS,
// SET_AUDIT_SUCCESS, SET_AUDIT_FAILURE.
// The following descriptions define how this type effects an explicit access
// request to apply access permissions to an object.
// GRANT_ACCESS - The trustee will have at least the requested permissions upon
// successful completion of the command. (If the trustee has
// additional permissions they will not be removed).
// SET_ACCESS - The trustee will have exactly the requested permissions upon
// successful completion of the command.
// DENY_ACCESS - The trustee will be denied the specified permissions.
// REVOKE_ACCESS - Any explicit access rights the trustee has will be revoked.
// SET_AUDIT_SUCCESS - The trustee will be audited for successful opens of the
// object using the requested permissions.
// SET_AUDIT_FAILURE - The trustee will be audited for failed opens of the object
// using the requested permissions.
//
typedef enum _ACCESS_MODE
{
NOT_USED_ACCESS = 0,
GRANT_ACCESS,
SET_ACCESS,
DENY_ACCESS,
REVOKE_ACCESS,
SET_AUDIT_SUCCESS,
SET_AUDIT_FAILURE
} ACCESS_MODE;
//
// Definition: Inheritance flags
// These bit masks are provided to allow simple application of inheritance in
// explicit access requests on containers.
// NO_INHERITANCE The specific access permissions will only be applied to
// the container, and will not be inherited by objects created
// within the container.
// SUB_CONTAINERS_ONLY_INHERIT The specific access permissions will be inherited
// and applied to sub containers created within the
// container, and will be applied to the container
// itself.
// SUB_OBJECTS_ONLY_INHERIT The specific access permissions will only be inherited
// by objects created within the specific container.
// The access permissions will not be applied to the
// container itself.
// SUB_CONTAINERS_AND_OBJECTS_INHERIT The specific access permissions will be
// inherited by containers created within the
// specific container, will be applied to
// objects created within the container, but
// will not be applied to the container itself.
//
#define NO_INHERITANCE 0x0
#define SUB_OBJECTS_ONLY_INHERIT 0x1
#define SUB_CONTAINERS_ONLY_INHERIT 0x2
#define SUB_CONTAINERS_AND_OBJECTS_INHERIT 0x3
#define INHERIT_NO_PROPAGATE 0x4
#define INHERIT_ONLY 0x8
//
// Informational bit that is returned
//
#define INHERITED_ACCESS_ENTRY 0x10
//
// Informational bit that tells where a node was inherited from. Valid only
// for NT 5 APIs
//
#define INHERITED_PARENT 0x10000000
#define INHERITED_GRANDPARENT 0x20000000
//
// Definition: EXPLICIT_ACCESS
// This structure is used to pass access control entry information into and out
// of the system using the API defined in this document.
// grfAccessPermissions - This contains the access permissions to assign for the
// trustee. It is in the form of an NT access mask.
// grfAccessMode - This field defines how the permissions are to be applied for
// the trustee.
// grfInheritance - For containers, this field defines how the access control
// entry is/(is requested) to be inherited on
// objects/sub-containers created within the container.
// Trustee - This field contains the definition of the trustee account the
// explicit access applies to.
//
typedef struct _EXPLICIT_ACCESS_%
{
DWORD grfAccessPermissions;
ACCESS_MODE grfAccessMode;
DWORD grfInheritance;
TRUSTEE_% Trustee;
} EXPLICIT_ACCESS_%, *PEXPLICIT_ACCESS_%, EXPLICIT_ACCESS%, *PEXPLICIT_ACCESS%;
//----------------------------------------------------------------------------
//
// NT5 APIs
//
//----------------------------------------------------------------------------
//
// Default provider
//
#define ACCCTRL_DEFAULT_PROVIDERA "Windows NT Access Provider"
#define ACCCTRL_DEFAULT_PROVIDERW L"Windows NT Access Provider"
#ifdef UNICODE
#define ACCCTRL_DEFAULT_PROVIDER ACCCTRL_DEFAULT_PROVIDERW
#else
#define ACCCTRL_DEFAULT_PROVIDER ACCCTRL_DEFAULT_PROVIDERA
#endif
//
/// Access rights
//
typedef ULONG ACCESS_RIGHTS, *PACCESS_RIGHTS;
//
// Inheritance flags
//
typedef ULONG INHERIT_FLAGS, *PINHERIT_FLAGS;
//
// Access / Audit structures
//
typedef struct _ACTRL_ACCESS_ENTRY%
{
TRUSTEE_% Trustee;
ULONG fAccessFlags;
ACCESS_RIGHTS Access;
ACCESS_RIGHTS ProvSpecificAccess;
INHERIT_FLAGS Inheritance;
LPTSTR% lpInheritProperty;
} ACTRL_ACCESS_ENTRY%, *PACTRL_ACCESS_ENTRY%;
typedef struct _ACTRL_ACCESS_ENTRY_LIST%
{
ULONG cEntries;
#ifdef __midl
[size_is(cEntries)]
#endif
ACTRL_ACCESS_ENTRY% *pAccessList;
} ACTRL_ACCESS_ENTRY_LIST%, *PACTRL_ACCESS_ENTRY_LIST%;
typedef struct _ACTRL_PROPERTY_ENTRY%
{
LPTSTR% lpProperty;
PACTRL_ACCESS_ENTRY_LIST% pAccessEntryList;
ULONG fListFlags;
} ACTRL_PROPERTY_ENTRY%, *PACTRL_PROPERTY_ENTRY%;
typedef struct _ACTRL_ALIST%
{
ULONG cEntries;
#ifdef __midl
[size_is(cEntries)]
#endif
PACTRL_PROPERTY_ENTRY% pPropertyAccessList;
} ACTRL_ACCESS%, *PACTRL_ACCESS%, ACTRL_AUDIT%, *PACTRL_AUDIT%;
//
// TRUSTEE_ACCESS flags
//
#define TRUSTEE_ACCESS_ALLOWED 0x00000001L
#define TRUSTEE_ACCESS_READ 0x00000002L
#define TRUSTEE_ACCESS_WRITE 0x00000004L
#define TRUSTEE_ACCESS_EXPLICIT 0x00000001L
#define TRUSTEE_ACCESS_READ_WRITE (TRUSTEE_ACCESS_READ | \
TRUSTEE_ACCESS_WRITE)
#define TRUSTEE_ACCESS_ALL 0xFFFFFFFFL
typedef struct _TRUSTEE_ACCESS%
{
LPTSTR% lpProperty;
ACCESS_RIGHTS Access;
ULONG fAccessFlags;
ULONG fReturnedAccess;
} TRUSTEE_ACCESS%, *PTRUSTEE_ACCESS%;
//
// Generic permission values
//
#define ACTRL_RESERVED 0x00000000
#define ACTRL_PERM_1 0x00000001
#define ACTRL_PERM_2 0x00000002
#define ACTRL_PERM_3 0x00000004
#define ACTRL_PERM_4 0x00000008
#define ACTRL_PERM_5 0x00000010
#define ACTRL_PERM_6 0x00000020
#define ACTRL_PERM_7 0x00000040
#define ACTRL_PERM_8 0x00000080
#define ACTRL_PERM_9 0x00000100
#define ACTRL_PERM_10 0x00000200
#define ACTRL_PERM_11 0x00000400
#define ACTRL_PERM_12 0x00000800
#define ACTRL_PERM_13 0x00001000
#define ACTRL_PERM_14 0x00002000
#define ACTRL_PERM_15 0x00004000
#define ACTRL_PERM_16 0x00008000
#define ACTRL_PERM_17 0x00010000
#define ACTRL_PERM_18 0x00020000
#define ACTRL_PERM_19 0x00040000
#define ACTRL_PERM_20 0x00080000
//
// Access permissions
//
#define ACTRL_ACCESS_ALLOWED 0x00000001
#define ACTRL_ACCESS_DENIED 0x00000002
#define ACTRL_AUDIT_SUCCESS 0x00000004
#define ACTRL_AUDIT_FAILURE 0x00000008
//
// Property list flags
//
#define ACTRL_ACCESS_PROTECTED 0x00000001
//
// Standard and object rights
//
#define ACTRL_SYSTEM_ACCESS 0x04000000
#define ACTRL_DELETE 0x08000000
#define ACTRL_READ_CONTROL 0x10000000
#define ACTRL_CHANGE_ACCESS 0x20000000
#define ACTRL_CHANGE_OWNER 0x40000000
#define ACTRL_SYNCHRONIZE 0x80000000
#define ACTRL_STD_RIGHTS_ALL 0xf8000000
#define ACTRL_STD_RIGHT_REQUIRED ( ACTRL_STD_RIGHTS_ALL & ~ACTRL_SYNCHRONIZE )
#ifndef _DS_CONTROL_BITS_DEFINED_
#define _DS_CONTROL_BITS_DEFINED_
#define ACTRL_DS_OPEN ACTRL_RESERVED
#define ACTRL_DS_CREATE_CHILD ACTRL_PERM_1
#define ACTRL_DS_DELETE_CHILD ACTRL_PERM_2
#define ACTRL_DS_LIST ACTRL_PERM_3
#define ACTRL_DS_SELF ACTRL_PERM_4
#define ACTRL_DS_READ_PROP ACTRL_PERM_5
#define ACTRL_DS_WRITE_PROP ACTRL_PERM_6
#define ACTRL_DS_DELETE_TREE ACTRL_PERM_7
#define ACTRL_DS_LIST_OBJECT ACTRL_PERM_8
#define ACTRL_DS_CONTROL_ACCESS ACTRL_PERM_9
#endif
#define ACTRL_FILE_READ ACTRL_PERM_1
#define ACTRL_FILE_WRITE ACTRL_PERM_2
#define ACTRL_FILE_APPEND ACTRL_PERM_3
#define ACTRL_FILE_READ_PROP ACTRL_PERM_4
#define ACTRL_FILE_WRITE_PROP ACTRL_PERM_5
#define ACTRL_FILE_EXECUTE ACTRL_PERM_6
#define ACTRL_FILE_READ_ATTRIB ACTRL_PERM_8
#define ACTRL_FILE_WRITE_ATTRIB ACTRL_PERM_9
#define ACTRL_FILE_CREATE_PIPE ACTRL_PERM_10
#define ACTRL_DIR_LIST ACTRL_PERM_1
#define ACTRL_DIR_CREATE_OBJECT ACTRL_PERM_2
#define ACTRL_DIR_CREATE_CHILD ACTRL_PERM_3
#define ACTRL_DIR_DELETE_CHILD ACTRL_PERM_7
#define ACTRL_DIR_TRAVERSE ACTRL_PERM_6
#define ACTRL_KERNEL_TERMINATE ACTRL_PERM_1
#define ACTRL_KERNEL_THREAD ACTRL_PERM_2
#define ACTRL_KERNEL_VM ACTRL_PERM_3
#define ACTRL_KERNEL_VM_READ ACTRL_PERM_4
#define ACTRL_KERNEL_VM_WRITE ACTRL_PERM_5
#define ACTRL_KERNEL_DUP_HANDLE ACTRL_PERM_6
#define ACTRL_KERNEL_PROCESS ACTRL_PERM_7
#define ACTRL_KERNEL_SET_INFO ACTRL_PERM_8
#define ACTRL_KERNEL_GET_INFO ACTRL_PERM_9
#define ACTRL_KERNEL_CONTROL ACTRL_PERM_10
#define ACTRL_KERNEL_ALERT ACTRL_PERM_11
#define ACTRL_KERNEL_GET_CONTEXT ACTRL_PERM_12
#define ACTRL_KERNEL_SET_CONTEXT ACTRL_PERM_13
#define ACTRL_KERNEL_TOKEN ACTRL_PERM_14
#define ACTRL_KERNEL_IMPERSONATE ACTRL_PERM_15
#define ACTRL_KERNEL_DIMPERSONATE ACTRL_PERM_16
#define ACTRL_PRINT_SADMIN ACTRL_PERM_1
#define ACTRL_PRINT_SLIST ACTRL_PERM_2
#define ACTRL_PRINT_PADMIN ACTRL_PERM_3
#define ACTRL_PRINT_PUSE ACTRL_PERM_4
#define ACTRL_PRINT_JADMIN ACTRL_PERM_5
#define ACTRL_SVC_GET_INFO ACTRL_PERM_1
#define ACTRL_SVC_SET_INFO ACTRL_PERM_2
#define ACTRL_SVC_STATUS ACTRL_PERM_3
#define ACTRL_SVC_LIST ACTRL_PERM_4
#define ACTRL_SVC_START ACTRL_PERM_5
#define ACTRL_SVC_STOP ACTRL_PERM_6
#define ACTRL_SVC_PAUSE ACTRL_PERM_7
#define ACTRL_SVC_INTERROGATE ACTRL_PERM_8
#define ACTRL_SVC_UCONTROL ACTRL_PERM_9
#define ACTRL_REG_QUERY ACTRL_PERM_1
#define ACTRL_REG_SET ACTRL_PERM_2
#define ACTRL_REG_CREATE_CHILD ACTRL_PERM_3
#define ACTRL_REG_LIST ACTRL_PERM_4
#define ACTRL_REG_NOTIFY ACTRL_PERM_5
#define ACTRL_REG_LINK ACTRL_PERM_6
#define ACTRL_WIN_CLIPBRD ACTRL_PERM_1
#define ACTRL_WIN_GLOBAL_ATOMS ACTRL_PERM_2
#define ACTRL_WIN_CREATE ACTRL_PERM_3
#define ACTRL_WIN_LIST_DESK ACTRL_PERM_4
#define ACTRL_WIN_LIST ACTRL_PERM_5
#define ACTRL_WIN_READ_ATTRIBS ACTRL_PERM_6
#define ACTRL_WIN_WRITE_ATTRIBS ACTRL_PERM_7
#define ACTRL_WIN_SCREEN ACTRL_PERM_8
#define ACTRL_WIN_EXIT ACTRL_PERM_9
#pragma warning (push)
#pragma warning (disable: 4201)
typedef struct _ACTRL_OVERLAPPED
{
union {
PVOID Provider;
ULONG Reserved1;
};
ULONG Reserved2;
HANDLE hEvent;
} ACTRL_OVERLAPPED, *PACTRL_OVERLAPPED;
#pragma warning(pop)
typedef struct _ACTRL_ACCESS_INFO%
{
ULONG fAccessPermission;
LPTSTR% lpAccessPermissionName;
} ACTRL_ACCESS_INFO%, *PACTRL_ACCESS_INFO%;
typedef struct _ACTRL_CONTROL_INFO%
{
LPTSTR% lpControlId;
LPTSTR% lpControlName;
} ACTRL_CONTROL_INFO%, *PACTRL_CONTROL_INFO%;
#define ACTRL_ACCESS_NO_OPTIONS 0x00000000
#define ACTRL_ACCESS_SUPPORTS_OBJECT_ENTRIES 0x00000001
typedef enum _PROGRESS_INVOKE_SETTING {
ProgressInvokeNever = 1, // Never invoke the progress function
ProgressInvokeEveryObject, // Invoke for each object
ProgressInvokeOnError, // Invoke only for each error case
ProgressCancelOperation, // Stop propagation and return
ProgressRetryOperation // Retry operation on subtree
} PROG_INVOKE_SETTING, *PPROG_INVOKE_SETTING;
//
// Progress Function:
// Caller of tree operation implements this Progress function, then
// passes its function pointer to tree operation.
// Tree operation invokes Progress function to provide progress and error
// information to the caller during the potentially long execution
// of the tree operation. Tree operation provides the name of the object
// last processed and the error status of the operation on that object.
// Tree operation also passes the current InvokeSetting value.
// Caller may change the InvokeSetting value, for example, from "Always"
// to "Only On Error."
//
/*
typedef VOID (*FN_PROGRESS) (
IN LPWSTR pObjectName, // name of object just processed
IN DWORD Status, // status of operation on object
IN OUT PPROG_INVOKE_SETTING pInvokeSetting, // Never, always,
IN PVOID Args, // Caller specific data
IN BOOL SecuritySet // Whether security was set
);
*/
//
// New Object Type function pointers. TBD.
// To support additional object resource managers generically, the
// resource manager must provide it's own functions for operations
// like:
// GetAncestorAcl(IN ObjName, IN GenerationGap, IN DaclOrSacl?, ...)
// GetAncestorName(...)
// FreeNameStructure(...)
//
typedef struct _FN_OBJECT_MGR_FUNCTIONS
{
ULONG Placeholder;
} FN_OBJECT_MGR_FUNCTS, *PFN_OBJECT_MGR_FUNCTS;
//
// Name of ancestor and number of generations between
// ancestor and inheriting object.
//
// GenerationGap:
// Name of ancestor from which ACE was inherited.
// NULL for explicit ACE.
//
// AncestorName:
// Number of levels (or generations) between the object and the ancestor.
// Parent, gap=1.
// Grandparent, gap=2.
// Set to 0 for explicit ACE on object.
//
typedef struct _INHERITED_FROM%
{
LONG GenerationGap;
LPTSTR% AncestorName;
} INHERITED_FROM%, *PINHERITED_FROM%;
#ifdef __cplusplus ;both
} ;both
#endif ;both
#endif // __ACCESS_CONTROL__