3.1.1.10 Access for Public Abstract Data Model Elements
As described in section 3.1.1, direct access (query or set) of data elements tagged as "(Public)" MUST use the same authorization policies, enforced as if the elements were being accessed via the RPC-based protocol methods in this document. The calling patterns described in section 1.3 provide an overview for understanding the basic flow of the query and set patterns. Section 3.1.1.10.1 provides detailed examples for the Policy Object Data Model (section 3.1.1.1); the other object types use similar patterns.
The following table describes the level of access that MUST be enforced during direct access of the described public ADM elements.
|
Object type |
DesiredAccess required for Query pattern |
DesiredAccess required for Set pattern |
|---|---|---|
|
Policy (section 3.1.1.1) |
POLICY_VIEW_AUDIT_INFORMATION | POLICY_GET_PRIVATE_INFORMATION | POLICY_VIEW_LOCAL_INFORMATION | READ_CONTROL |
POLICY_TRUST_ADMIN | POLICY_CREATE_ACCOUNT | POLICY_CREATE_SECRET | POLICY_CREATE_PRIVILEGE | POLICY_SET_DEFAULT_QUOTA_LIMITS | POLICY_SET_AUDIT_REQUIREMENTS | POLICY_AUDIT_LOG_ADMIN | POLICY_SERVER_ADMIN | READ_CONTROL |
|
Account (section 3.1.1.3) |
ACCOUNT_VIEW | READ_CONTROL |
ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_QUOTAS | ACCOUNT_ADJUST_SYSTEM_ACCESS | READ_CONTROL |
|
Secret (section 3.1.1.4) |
SECRET_QUERY_VALUE | READ_CONTROL |
SECRET_SET_VALUE | READ_CONTROL |
|
TrustedDomain (section 3.1.1.5) |
TRUSTED_QUERY_DOMAIN_NAME | READ_CONTROL |
TRUSTED_SET_CONTROLLERS | TRUSTED_SET_POSIX | READ_CONTROL |