When to create custom permissions

This example demonstrates how a domain administrator can protect a printer from unauthorized use by creating a custom action.

Figure 1 shows an example of this requirement. A print spooling service is written with the authorization application programming interface (authorization API). The service can call the authorization service to do ACL checks on requests made to the printer.

The default permissions do not include a permission for protecting printers. However, the printer can be protected by a custom action bit (p in this example). An ACL policy is attached to the printer object. If a user requests the use of this protected printer, that user must have an ACL entry containing the p action bit. The authorization service returns a favorable response if the p action bit is present and the printing operation proceeds. If the authorization service returns an unfavorable response, the printing operation is not allowed to proceed.

Parent topic: Custom permissions in custom action groups