3.1.4.3 User Authorization Data Computation

When the session is established for the protocol, the user authentication occurs. After the authentication, the Token/Authorization Context ([MS-DTYP] section 2.5.2) is available, which is used to compute the authorization data for the user for the specific session. The user authorization data is computed as follows:

  • ADM_UserAuthorizationData.IsAdministrator: This is set to TRUE only if the BUILTIN_ADMINISTRATORS SID ([MS-DTYP] section 2.4.2.4) is present in the Token/Authorization Context.

  • ADM_UserAuthorizationData.IsIpamUser: This is set to TRUE only if the SID of the IPAM Users group object is present in the Token/Authorization Context.

  • ADM_UserAuthorizationData.IsIpamAdministrator: This is set to TRUE only if the SID of the IPAM Administrators group object is present in the Token/Authorization Context. If this is computed to be TRUE, the IsIPAMAsmAdministrator, IsIPAMMsmAdministrator, IsIPAMIPAuditAdministrator and IsIPAMUser members of ADM_UserAuthorizationData are set to TRUE without the need for further computation.

  • ADM_UserAuthorizationData.IsIPAMAsmAdministrator: This is set to TRUE if the SID of the IPAM ASM Administrators group object is present in the Token/Authorization Context. If this is TRUE, the ADM_UserAuthorizationData.IsIpamUser is computed to be TRUE as well.

  • ADM_UserAuthorizationData.IsIPAMMsmAdministrator: This is set to TRUE if the SID of the IPAM MSM Administrators group object is present in the Token/Authorization Context. If this is TRUE, the ADM_UserAuthorizationData.IsIpamUser is computed to be TRUE as well.

  • ADM_UserAuthorizationData.IsIPAMIPAuditdministrator: This is set to TRUE if the SID of the IPAM IP Audit Administrators group object is present in the Token/Authorization Context. If this is TRUE, the ADM_UserAuthorizationData.IsIpamUser is computed to be TRUE as well.

In all the above computation checks, the SID of a particular group object is checked for its presence against the Token/Authorization Context. This is done by calling SidInToken ([MS-DTYP] section 2.5.3.1.1) by passing the Token/Authorization Context as the Token parameter and SID to check as the SidToTestParameter and having PrincipalSelfSubstitute as null.