3.1.1.10 Access for Public Abstract Data Model Elements

As described in section 3.1.1, direct access (query or set) of data elements tagged as "(Public)" MUST use the same authorization policies, enforced as if the elements were being accessed via the RPC-based protocol methods in this document. The calling patterns described in section 1.3 provide an overview for understanding the basic flow of the query and set patterns. Section 3.1.1.10.1 provides detailed examples for the Policy Object Data Model (section 3.1.1.1); the other object types use similar patterns.

The following table describes the level of access that MUST be enforced during direct access of the described public ADM elements.

Object type

DesiredAccess required for Query pattern

DesiredAccess required for Set pattern

Policy (section 3.1.1.1)

POLICY_VIEW_AUDIT_INFORMATION | POLICY_GET_PRIVATE_INFORMATION | POLICY_VIEW_LOCAL_INFORMATION | READ_CONTROL

POLICY_TRUST_ADMIN | POLICY_CREATE_ACCOUNT | POLICY_CREATE_SECRET | POLICY_CREATE_PRIVILEGE | POLICY_SET_DEFAULT_QUOTA_LIMITS | POLICY_SET_AUDIT_REQUIREMENTS | POLICY_AUDIT_LOG_ADMIN | POLICY_SERVER_ADMIN | READ_CONTROL

Account  (section 3.1.1.3)

ACCOUNT_VIEW | READ_CONTROL

ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_QUOTAS | ACCOUNT_ADJUST_SYSTEM_ACCESS | READ_CONTROL

Secret (section 3.1.1.4)

SECRET_QUERY_VALUE | READ_CONTROL

SECRET_SET_VALUE | READ_CONTROL

TrustedDomain (section 3.1.1.5)

TRUSTED_QUERY_DOMAIN_NAME | READ_CONTROL

TRUSTED_SET_CONTROLLERS | TRUSTED_SET_POSIX | READ_CONTROL