NTSTATUS RtlNewSecurityGrantedAccess( IN ACCESS_MASK DesiredAccess, OUT PPRIVILEGE_SET Privileges, IN OUT PULONG Length, IN HANDLE Token OPTIONAL, IN PGENERIC_MAPPING GenericMapping, OUT PACCESS_MASK RemainingDesiredAccess ); Routine Description: This routine implements privilege policy by examining the bits in a DesiredAccess mask and adjusting them based on privilege checks. Currently, a request for ACCESS_SYSTEM_SECURITY may only be satisfied by the caller having SeSecurityPrivilege. Note that this routine is only to be called when an object is being created. When an object is being opened, it is expected that NtAccessCheck will be called, and that routine will implement another policy for substituting privileges for DACL access. Arguments: DesiredAccess - Supplies the user's desired access mask Privileges - Supplies a pointer to an empty buffer in which will be returned a privilege set describing any privileges that were used to gain access. Note that this is not an optional parameter, that is, enough room for a single privilege must always be passed. Length - Supplies the length of the Privileges parameter in bytes. If the supplies length is not adequate to store the entire privilege set, this field will return the minimum length required. Token - (optionally) Supplies the token for the client on whose behalf the object is being accessed. If this value is specified as null, then the token on the thread is opened and examined to see if it is an impersonation token. If it is, then it must be at SecurityIdentification level or higher. If it is not an impersonation token, the operation proceeds normally. GenericMapping - Supplies the generic mapping associated with this object type. RemainingDesiredAccess - Returns the DesiredAccess mask after any bits have been masked off. If no access types could be granted, this mask will be identical to the one passed in. Return Value: STATUS_SUCCESS - The operation completed successfully. STATUS_BUFFER_TOO_SMALL - The passed buffer was not large enough to contain the information being returned. STATUS_BAD_IMPERSONATION_LEVEL - The caller or passed token was impersonating, but not at a high enough level.