CSSM_CSP_ChangeLoginAcl — Edit a stored CSP ACL login session (CDSA)
# include <cssm.h>
CSSM_RETURN CSSMAPI CSSM_CSP_ChangeLoginAcl
const CSSM_ACCESS_CREDENTIALS *AccessCred,
const CSSM_ACL_EDIT *AclEdit)
Common Security Services Manager library (cdsa$incssm300_shr.exe)
| || |
The module handle that identifies the Cryptographic
Service Provider to perform this operation
| || |
A pointer to the set of one or more credentials
used to authenticate and validate the caller's authorization to
modify the ACL controlling login sessions with the CSP. Required credentials
can include zero or more certificates, zero or more caller names,
and one or more samples. Traditionally a caller name has been used
to establish the context of a login session. Certificates can be
used for the same purpose. If certificates and/or caller names are provided
as input, these must be provided as immediate values in this structure.
The samples can be provided as immediate values or can be obtained
through a callback function included in the AccessCred structure.
|AclEdit (input)|| |
A structure containing information that defines
the edit operation. Valid operations include adding, replacing,
and deleting entries in an ACL managed by the service provider.
The AclEdit parameter can contain information
for a new ACL entry and a handle uniquely identifying an existing
ACL entry. The information controls the edit operation as follows:
|Value of AclEdit.EditMode||Use of AclEdit.NewEntry and AclEdit.OldEntryHandle |
a new ACL entry to the set of ACL entries controlling login sessions
with the CSP. The new ACL entry is created from the ACL entry prototype
contained in NewEntry. OldEntryHandle is
ignored for this EditMode.|
the ACL entry identified by OldEntryHandle and
associated with login sessions with the CSP. NewEntry is
ignored for this EditMode.|
ACL entry identified by OldEntryHandle and controlling
login sessions with the CSP. The existing ACL is replaced based
on the ACL entry prototype contained in the NewEntry.|
When replacing an existing ACL entry, the caller must replace
all items in an ACL entry. The replacement prototype includes:
Subject type and value - A
CSSM_LIST structure containing a typed subject. The subject identifies
the entity authorized by this ACL entry.
Delegation flag - A CSSM_BOOL value indicating
whether the subject can delegate the permissions recorded in the
Authorization array - A CSSM_AUTHORIZATIONGROUP
structure defining the set of operations for which permission is
granted to the subject.
Validity period - A CSSM_ACL_VALIDITY_PERIOD
structure containing two elements, the start time and the stop time
for which the ACL entry is valid.
ACL entry tag - A CSSM_STRING containing
a user-defined value associated with the ACL entry.
This function edits the stored ACL controlling login sessions
for a Cryptographic Service Provider (CSP). The ACL is modified
according to the edit mode and information provided in AclEdit.
The caller must have a login session in process and must be
authorized to modify the target ACL. Caller authentication and authorization
to edit the ACL is determined based on the caller-provided AccessCred.
The caller must be authorized to add, delete, or replace the
ACL entries controlling login to the CSP. When adding or replacing
an ACL entry, the service provider must reject the creation of duplicate
When adding a new ACL entry to an ACL, the caller must provide
a complete ACL entry prototype. All ACL entry items, except the
ACL entry Subject, must be provided as an immediate value in AclEdit.NewEntry. The
ACL entry Subject can be provided as an immediate value, from a
verifier with a protected data path, from an external authentication
or authorization service, or through a callback function specified
A CSSM_RETURN value indicating success or specifying a particular
error condition. The value CSSM_OK indicates success. All other
values represent an error condition.
Errors are described in the CDSA Technical Standard.
None specific to this call.
Intel CDSA Application Developer's Guide
Functions: CSSM_CSP_GetLoginACLCSSM_CSP_Login, CSSM_CSP_Logout