3.1.1 Determining a Caller's Permissions

During processing of methods that implement access checks, this protocol performs access security verification on the caller's identity by using the algorithm specified by the Access Check Algorithm Pseudo code ([MS-DTYP] section The input parameters of that algorithm are mapped as follows:

  • SecurityDescriptor: This MUST be the SECURITY_DESCRIPTOR of the session.<148> For more information about SECURITY_DESCRIPTOR, see [MS-DTYP] section 2.4.6.

  • Token / Authorization Context: This MUST be the caller's token.

  • Access Request mask: This is specified by each method's processing logic and MUST be one or more of the WinStationOpen access values specified in section 6.5.

  • Object Tree: This parameter MUST be NULL.

  • PrincipalSelfSubst SID: This parameter MUST be NULL.