3.1.4.3 User Authorization Data Computation

When the session is established for the protocol, the user authentication occurs. After the authentication, the Token/Authorization Context ([MS-DTYP] section 2.5.2) is available, which is used to compute the authorization data for the user for the specific session.

The user authorization data is computed as follows:

ADM_UserAuthorizationData.IsAdministrator: This is set to TRUE only if the BUILTIN_ADMINISTRATORS SID ([MS-DTYP] section 2.4.2.4) is present in the Token/Authorization Context.

ADM_UserAuthorizationData.IsIpamUser: This is set to TRUE only if the SID of the IPAM Users group object is present in the Token/Authorization Context.

ADM_UserAuthorizationData.IsIpamAdministrator: This is set to TRUE only if the SID of the IPAM Administrators group object is present in the Token/Authorization Context. If this is computed to be TRUE, the IsIPAMAsmAdministrator, IsIPAMMsmAdministrator, IsIPAMIPAuditAdministrator, and IsIPAMUser members of ADM_UserAuthorizationData are set to TRUE without the need for further computation.

ADM_UserAuthorizationData.IsIPAMAsmAdministrator: This is set to TRUE if the SID of the IPAM ASM Administrators group object is present in the Token/Authorization Context. If this is TRUE, the ADM_UserAuthorizationData.IsIpamUser is computed to be TRUE as well.

ADM_UserAuthorizationData.IsIPAMMsmAdministrator: This is set to TRUE if the SID of the IPAM MSM Administrators group object is present in the Token/Authorization Context. If this is TRUE, the ADM_UserAuthorizationData.IsIpamUser is computed to be TRUE as well.

ADM_UserAuthorizationData.IsIPAMIPAuditAdministrator: This is set to TRUE if the SID of the IPAM IP Audit Administrators group object is present in the Token/Authorization Context. If this is TRUE, the ADM_UserAuthorizationData.IsIpamUser is computed to be TRUE as well.

ADM_UserAuthorizationData.MappingPolicyIds: This collection is populated in the following steps:

  1. Initialize ADM_UserAuthorizationData.MappingPolicyIds collection.

  2. Call GetPolicyForUserSid procedure of ADM_UserAccessPolicyTable by passing Param_userSid initialized to SID of the user present in the Token/Authorization Context. If the Result_accessPolicy is not NULL, then add Result_accessPolicy.PolicyId to ADM_UserAuthorizationData.MappingPolicyIds collection.

  3. Then process all the Groups that are present in the user’s Token/Authorization Context. For each of the group objects in the user’s Token/Authorization Context, perform the next step.

  4. Call GetPolicyForUserSid procedure of ADM_UserAccessPolicyTable by passing Param_userSid initialized to SID of the group. If the Result_accessPolicy is not NULL, then add Result_accessPolicy.PolicyId to the ADM_UserAuthorizationData.MappingPolicyIds collection.

  5. If the collection ADM_UserAuthorizationData.MappingPolicyIds is not empty, then the ADM_UserAuthorizationData.IsIpamUser is computed to be TRUE as well.

6. In all the previous computation checks, the SID of a particular group object is checked for its presence against the Token/Authorization Context. This is done by calling SidInToken ([MS-DTYP] section 2.5.3.1.1) by passing the Token/Authorization Context as the Token parameter and SID to check as the SidToTestParameter and having PrincipalSelfSubstitute as NULL.