2.5.3.4.7 PostProcessACL

The purpose of this subroutine is to process the ACL and make it concrete by replacing certain macro SIDs with the actual SIDs for the principals involved, and to translate from generic access bit flags to the actual object-specific access flags. The caller specifies a filter to apply, namely whether only inherited ACEs, only explicit ACEs, or all ACEs will be copied.

Parameters

  • ACL: ACL on which to substitute SIDs.

  • CopyFilter: Enumeration of the following filters for post-processing the ACL:  CopyAllAces, CopyInheritedAces, CopyExplicitAces.

  • Owner: Owner to use in substituting the CreatorOwner SID.

  • Group: Group to use in substituting the CreatorGroup SID.

  • GenericMapping: Mapping of generic permissions to resource manager-specific permissions supplied by the caller.

Returns

  • The computed ACL with the SID substitutions performed.

     // Substitute CreatorOwner and CreatorGroup SIDs and do GenericMapping in ACL
      
     Initialize NewACL to Empty ACL
      
     FOR each ACE in ACL DO
      
         // Determine if this ACE passes the filter to be copied to the new ACL
      
         SET CopyThisAce = FALSE 
      
         CASE CopyFilter OF 
         
             CopyAllAces: 
                 BEGIN 
                     SET CopyThisAce = TRUE 
                 END
      
             CopyInheritedAces: 
                 BEGIN 
                     IF (ACE.AceFlags contains INHERITED_ACE) THEN 
                         SET CopyThisAce = TRUE 
                     ENDIF 
                 END
      
             CopyExplicitAces: 
                 BEGIN 
                     IF (ACE.AceFlags does not contain INHERITED_ACE) THEN 
                        SET CopyThisAce = TRUE 
                     ENDIF 
                 END
      
         ENDCASE
      
         Set NewACE to ACE
      
         IF (CopyThisAce) THEN
      
             CASE ACE.Sid OF
      
                 CREATOR_OWNER:
                     NewACE.Sid = Owner
      
                 CREATOR_GROUP:
                     NewACE.Sid = Group
             ENDCASE
      
             IF (ACE.Mask contains GENERIC_READ) THEN
                 Add GenericMapping.GenericRead to NewACE.Mask
             ENDIF
      
             IF (ACE.Mask contains GENERIC_WRITE) THEN
                 Add GenericMapping.GenericWrite to NewACE.Mask
             ENDIF 
      
             IF (ACE.Mask contains GENERIC_EXECUTE) THEN
                 Add GenericMapping.GenericExecute to NewACE.Mask
             ENDIF
      
             Append NewACE to NewACL
         ENDIF
      
     END FOR
      
     RETURN NewACL
     // END PostProcessACL