Querying a Client Context

Applications can call the AuthzGetInformationFromContext function to query information about an existing client context.

The InfoClass parameter of the AuthzGetInformationFromContext function takes a value from the AUTHZ_CONTEXT_INFORMATION_CLASS enumeration that specifies what type of information the function queries.

Security attribute variables must be present in the client context if referred to in a conditional expression; otherwise, the conditional expression term referencing them will be evaluated as unknown. For more information on conditional expressions, see the Security Descriptor Definition Language for Conditional ACEs topic.


The following example queries the client context created in the example from Initializing a Client Context to retrieve the list of SIDs of groups associated with that client context.

BOOL GetGroupsFromContext(AUTHZ_CLIENT_CONTEXT_HANDLE hClientContext)

    DWORD                cbSize = 0;
    PTOKEN_GROUPS        pTokenGroups=NULL;
    LPTSTR                StringSid = NULL;
    BOOL                bResult = FALSE;
    int i = 0;

    //Call the AuthzGetInformationFromContext function with a NULL output buffer to get the required buffer size.
    AuthzGetInformationFromContext(hClientContext, AuthzContextInfoGroupsSids, 0, &cbSize, NULL);

    //Allocate the buffer for the TOKEN_GROUPS structure.
    pTokenGroups = (PTOKEN_GROUPS)malloc(cbSize);
    if (!pTokenGroups)
        return FALSE;

    //Get the SIDs of groups associated with the client context. 
    if(!AuthzGetInformationFromContext(hClientContext, AuthzContextInfoGroupsSids, cbSize, &cbSize, pTokenGroups))
        printf_s("AuthzGetInformationFromContext failed with %d\n", GetLastError);
        return FALSE;

    //Enumerate and display the group SIDs.
    for (i=pTokenGroups->GroupCount-1; i >= 0; --i)
        //Convert a SID to a string.
            return FALSE;

        wprintf_s(L"%s \n", StringSid);


    return TRUE;

Adding SIDs to a Client Context

Caching Access Checks

Checking Access with Authz API

How AccessCheck Works

Initializing a Client Context

Security Descriptor Definition Language for Conditional ACEs