3.1.4.7 AuthzrModifySids (Opnum 6)
The AuthzrModifySids method (opnum 6) modifies the list of SIDs associated with the identified client context.
-
DWORD AuthzrModifySids( [in] AUTHZR_HANDLE ContextHandle, [in] AUTHZ_CONTEXT_INFORMATION_CLASS SidClass, [in] [range(1, 65535)] DWORD OperationCount, [in] [size_is(OperationCount)] AUTHZ_SID_OPERATION* pSidOperations, [in] [unique] AUTHZR_TOKEN_GROUPS* pSids);
ContextHandle: An AUTHZR_HANDLE structure, as defined in section 2.2.1.1, representing the client context to be modified.
SidClass: An AUTHZ_CONTEXT_INFORMATION_CLASS enumeration value, as defined in section 2.2.2.1, indicating the SID class.
OperationCount: The number of operations to be performed.
pSidOperations: A pointer to an array of AUTHZ_SID_OPERATION enumeration values that specify the group modifications to be made.
pSids: A pointer to an AUTHZR_TOKEN_GROUPS structure, as defined in section 2.2.3.9, specifying the groups to be modified.
Return Values:
If the function succeeds, it MUST return 0x00000000.
If the function fails, it MUST return a nonzero error code value.
On receipt of this message, a RAZA server MUST complete the following process:
If the InfoClass parameter contains any value other than AuthzContextInfoGroupSids (2) or AuthzContextInfoDeviceSids (12), or if the requested modification is not supported, the RAZA server MUST return ERROR_INVALID_PARAMETER.
The RAZA server MUST check the first element in the pSidOperations array as indicated by OperationCount.
If the value pointed to by the pSidOperations parameter is AUTHZ_SID_OPERATION_NONE, the RAZA server must return 0x00000000.
If the value pointed to by the pSidOperations parameter is AUTHZ_SID_OPERATION_REPLACE_ALL, the RAZA server MUST perform the following operations on the ImpersonationAccessToken in the ClientContext identified by the ContextHandle:
Map the InfoClass parameter value to the corresponding ImpersonationAccessToken array according to the following table, and replace it with the pSids Groups member array.
Return 0x00000000 if the operation is successful; otherwise, return a nonzero error code.
If the value pointed to by the pSidOperations parameter is any other value of the AUTHZ_SID_OPERATION enumeration, continue with the following process.
The RAZA server MUST complete the following process for each element in the pSidOperations array as indicated by OperationCount:
If the element is not the first element and the value is AUTHZ_SID_OPERATION_NONE or AUTHZ_SID_OPERATION_REPLACE_ALL, the RAZA server MUST return a nonzero error code. The case in which the first element is one of these values is described earlier.
If the element is AUTHZ_SID_OPERATION_ADD, search the ImpersonationAccessToken array identified according to the following table for a member whose member equals the member of the corresponding element of the Groups array in the pSids parameter. If one is found, the RAZA server MUST return ERROR_GROUP_EXISTS, otherwise, append the corresponding element in the Groups array in the pSids parameter to the ImpersonationAccessToken array identified according to the following table. If the corresponding element of the Groups array in the pSids parameter does not exist, then RAZA server MUST fail with ERROR_INVALID_PARAMETER.
If the element is AUTHZ_SID_OPERATION_DELETE, search the ImpersonationAccessToken array that is identified according to the following table for a member whose member equals the member of the corresponding element of the Groups array in the pSids parameter. If one is found, delete that element from the identified ImpersonationAccessToken array and free any memory that was associated with that element. If the search fails, the RAZA server MUST return ERROR_NOT_FOUND. If the corresponding element of the Groups array in the pSids parameter does not exist, then the RAZA server MUST fail with ERROR_INVALID_PARAMETER.
If the element is AUTHZ_SID_OPERATION_REPLACE, search the ImpersonationAccessToken array identified according to the following table for a member whose member equals the member of the corresponding element of the Groups array in the pSids parameter.
If the Sid is located, replace the member of the Sid located in the array with the replacement Sid, which is located in the corresponding Groups array element in the Groups member of the pSids parameter. If the corresponding replacement Groups member does not exist, then the RAZA server MUST fail with ERROR_INVALID_PARAMETER.
If the Sid is not located, it is added using the replacement Sid, which is located in the corresponding Groups array element in the Groups member of the pSids parameter. If the corresponding replacement Groups member does not exist, then the RAZA server MUST fail with ERROR_INVALID_PARAMETER.
SIDClass parameter value
Corresponding ImpersonationAccessToken array
AuthzContextInfoGroupSids
ImpersonationAccessToken.Sids
AuthzContextInfoDeviceSids
ImpersonationAccessToken.DeviceSids