The module handle that identifies the CryptographicService Provider to perform this operation
AccessCred (input)
A pointer to the set of one or more credentialsused to authenticate and validate the caller's authorization tomodify the ACL associated with the key. Required credentials caninclude zero or more certificates, zero or more caller names, andone or more samples. If certificates and/or caller names are providedas input, these must be provided as immediate values in this structure.The samples can be provided as immediate values or can be obtainedthrough a callback function included in the AccessCred structure.
AclEdit (input)
A structure containing information that definesthe edit operation. Valid operations include: adding, replacing,and deleting entries in an ACL managed by the service provider.The AclEdit can contain information for a newACL entry and a handle uniquely identifying an existing ACL entry.The information controls the edit operation as follows:
Value of AclEdit.EditMode
Use of AclEdit.NewEntry and AclEdit.OldEntryHandle
CSSM_ACL_EDIT_MODE_ADD
Addsa new ACL entry to the set of ACL entries associated with the specified Key.The new ACL entry is created from the ACL entry prototype containedin NewEntry. OldEntryHandle isignored for this edit mode.
CSSM_ACL_EDIT_MODE_DELETE
Deletesthe ACL entry identified by OldEntryHandle andassociated with the specified Key. NewEntry is ignoredfor this edit mode.
CSSM_ACL_EDIT_MODE_REPLACE
Replaces theACL entry identified by OldEntryHandle and associatedwith the specified Key. The existing ACL is replacedbased on the ACL entry prototype contained in the NewEntry.
When replacing an existing ACL entry, the caller must replaceall of the items in an ACL entry. The replacement prototype includes:
Subject type and value
A CSSM_LIST structure containing a typed Subject.The Subject identifies the entity authorized by this ACL entry.
Delegation flag
A CSSM_BOOL value indicating whether the subjectcan delegate the permissions recorded in the authorization array.
Authorization array
A CSSM_AUTHORIZATIONGROUP structure defining theset of operations for which permission is granted to the Subject.
Validity period
A CSSM_ACL_VALIDITY_PERIOD structure containingtwo elements, the start time and the stop time for which the ACLentry is valid.
ACL entry tag
A CSSM_STRING containing a user-defined value associatedwith the ACL entry.
Key (input)
A pointer to the target key whose associated ACLis being modified.
DESCRIPTIONThis function edits the stored ACL associated with the targetkey. The ACL is modified according to the edit mode and informationprovided in AclEdit.
The caller must be authorized to modify the target ACL. Callerauthentication and authorization to edit the ACL is determined basedon the caller-provided AccessCred.
The caller must be authorized to add, delete, or replace theACL entries associated with the target key. When adding or replacingan ACL entry, the service provider must reject the creation of duplicateACL entries.
When adding a new ACL entry to an ACL, the caller must providea complete ACL entry prototype. All ACL entry items, except theACL entry Subject must be provided as an immediatevalue in AclEdit->NewEntry. The ACLentry Subject can be provided as an immediatevalue, from a verifier with a protected data path, from an externalauthentication or authorization service, or through a callback functionspecified in AclEdit->NewEntry->Callback.
RETURN VALUEA CSSM_RETURN value indicating success or specifying a particularerror condition. The value CSSM_OK indicates success. All othervalues represent an error condition. ERRORSErrors are described in the CDSA Technical Standard.
HP Open Source Security for OpenVMS Volume 1:... 
API Functions
