3.1.4.2.2 Access Checks Applied for Object Operations
Each method that consumes a handle requires that certain access bits be set on the handle, which is defined as RequiredAccess for the purposes of this specification, and returns STATUS_ACCESS_DENIED according to the pseudocode shown below, if necessary. The required bits vary on a per-method basis and might depend on method arguments. Therefore, the value of RequiredAccess is specified on a per-method basis in sections 3.1.4.4, 3.1.4.5, 3.1.4.6, 3.1.4.7, 3.1.4.8, and 3.1.4.9.
-
IF (any bit set in RequiredAccess is not set in LsaContextHandle.GrantedAccess) THEN Return STATUS_ACCESS_DENIED END IF
For example, if a method-processing rule specifies a required access bit of POLICY_VIEW_LOCAL_INFORMATION, the server MUST check that this bit is set in the granted access field on the context handle. If the check is unsuccessful, the server MUST return STATUS_ACCESS_DENIED.