Library /sys$common/syshlp/helplib.hlb  —  CDSA  CDSA_API, CSSM CSP ChangeLoginAcl
 NAME

   CSSM_CSP_ChangeLoginAcl - Edit a stored CSP ACL login session (CDSA)

 SYNOPSIS

   # include <cssm.h>

        CSSM_RETURN CSSMAPI CSSM_CSP_ChangeLoginAcl
        (CSSM_CSP_HANDLE CSPHandle,
        const CSSM_ACCESS_CREDENTIALS *AccessCred,
        const CSSM_ACL_EDIT *AclEdit)

 LIBRARY

   Common Security Services Manager library (CDSA$INCSSM300_SHR.EXE)

 PARAMETERS

   CSPHandle (input)
           The module handle that identifies the cryptographic service
           provider to perform this operation

   AccessCred (input)
           A pointer to the set of one or more credentials used to
           authenticate and validate the caller's authorization to modify
           the ACL controlling login sessions with the CSP. Required
           credentials can include zero or more certificates, zero or more
           caller names, and one or more samples. Traditionally a caller
           name has been used to establish the context of a login session.
           Certificates can be used for the same purpose. If certificates
           and/or caller names are provided as input, these must be
           provided as immediate values in this structure.  The samples
           can be provided as immediate values or can be obtained through
           a callback function included in the AccessCred structure.

   AclEdit (input)
           A structure containing information that defines the edit
           operation.  Valid operations include adding, replacing, and
           deleting entries in an ACL managed by the service provider.
           The AclEdit parameter can contain information for a new ACL
           entry and a handle uniquely identifying an existing ACL
           entry. The information controls the edit operation as follows:

           _____________________________________________________________
           Value of AclEdit.EditMode    Use of AclEdit.NewEntry and
                                        AclEdit.OldEntryHandle
           _____________________________________________________________

           CSSM_ACL_EDIT_MODE_ADD       Adds a new ACL entry to the set
                                        of ACL entries controlling login
                                        sessions with the CSP. The new
                                        ACL entry is created from the ACL
                                        entry prototype contained in
                                        NewEntry.  OldEntryHandle is
                                        ignored for this EditMode.

           CSSM_ACL_EDIT_MODE_DELETE    Deletes the ACL entry identified
                                        by OldEntryHandle and associated
                                        with login sessions with the CSP.
                                        NewEntry is ignored for this
                                        EditMode.

           CSSM_ACL_EDIT_MODE_REPLACE   Replaces the ACL entry identified
                                        by OldEntryHandle and controlling
                                        login sessions with the CSP. The
                                        existing ACL is replaced based on
                                        the ACL entry prototype contained
                                        in the NewEntry.
           _____________________________________________________________

           When replacing an existing ACL entry, the caller must replace
           all items in an ACL entry. The replacement prototype includes:

             · Subject type and value - A CSSM_LIST structure containing a
               typed subject. The subject identifies the entity authorized
               by this ACL entry.

             · Delegation flag - A CSSM_BOOL value indicating whether the
               subject can delegate the permissions recorded in the
               authorization array.

             · Authorization array - A CSSM_AUTHORIZATIONGROUP structure
               defining the set of operations for which permission is
               granted to the subject.

             · Validity period - A CSSM_ACL_VALIDITY_PERIOD structure
               containing two elements, the start time and the stop time
               for which the ACL entry is valid.

             · ACL entry tag - A CSSM_STRING containing a user-defined
               value associated with the ACL entry.

 DESCRIPTION

   This function edits the stored ACL controlling login sessions for a
   cryptographic service provider (CSP). The ACL is modified according
   to the edit mode and information provided in AclEdit.

   The caller must have a login session in process and must be authorized
   to modify the target ACL. Caller authentication and authorization to
   edit the ACL is determined based on the caller-provided AccessCred.

   The caller must be authorized to add, delete, or replace the ACL
   entries controlling login to the CSP. When adding or replacing an ACL
   entry, the service provider must reject the creation of duplicate ACL
   entries.

   When adding a new ACL entry to an ACL, the caller must provide a
   complete ACL entry prototype. All ACL entry items, except the ACL
   entry Subject, must be provided as an immediate value in
   AclEdit.NewEntry.  The ACL entry Subject can be provided as an
   immediate value, from a verifier with a protected data path, from
   an external authentication or authorization service, or through a
   callback function specified in AclEdit.NewEntry.Callback.

 RETURN VALUE

   A CSSM_RETURN value indicating success or specifying a particular
   error condition. The value CSSM_OK indicates success. All other values
   represent an error condition.

 ERRORS

   Errors are described in the CDSA technical standard.  See CDSA.

   None specific to this call.

 SEE ALSO

   Books

   Intel CDSA Application Developer's Guide (see CDSA)

   Other Help Topics

   Functions: CSSM_CSP_GetLoginACL
              CSSM_CSP_Login
              CSSM_CSP_Logout
Close Help