The module handle that identifies the CryptographicService Provider to perform this operation
AccessCred (input)
A pointer to the set of one or more credentialsused to authenticate and validate the caller's authorization tomodify the ACL controlling login sessions with the CSP. Required credentialscan include zero or more certificates, zero or more caller names,and one or more samples. Traditionally a caller name has been usedto establish the context of a login session. Certificates can beused for the same purpose. If certificates and/or caller names are providedas input, these must be provided as immediate values in this structure.The samples can be provided as immediate values or can be obtainedthrough a callback function included in the AccessCred structure.
AclEdit (input)
A structure containing information that definesthe edit operation. Valid operations include adding, replacing,and deleting entries in an ACL managed by the service provider.The AclEdit parameter can contain informationfor a new ACL entry and a handle uniquely identifying an existingACL entry. The information controls the edit operation as follows:
Value of AclEdit.EditMode
Use of AclEdit.NewEntry and AclEdit.OldEntryHandle
CSSM_ACL_EDIT_MODE_ADD
Addsa new ACL entry to the set of ACL entries controlling login sessionswith the CSP. The new ACL entry is created from the ACL entry prototypecontained in NewEntry. OldEntryHandle isignored for this EditMode.
CSSM_ACL_EDIT_MODE_DELETE
Deletesthe ACL entry identified by OldEntryHandle andassociated with login sessions with the CSP. NewEntry isignored for this EditMode.
CSSM_ACL_EDIT_MODE_REPLACE
Replaces theACL entry identified by OldEntryHandle and controllinglogin sessions with the CSP. The existing ACL is replaced basedon the ACL entry prototype contained in the NewEntry.
When replacing an existing ACL entry, the caller must replaceall items in an ACL entry. The replacement prototype includes:
Subject type and value - ACSSM_LIST structure containing a typed subject. The subject identifiesthe entity authorized by this ACL entry.
Delegation flag - A CSSM_BOOL value indicatingwhether the subject can delegate the permissions recorded in theauthorization array.
Authorization array - A CSSM_AUTHORIZATIONGROUPstructure defining the set of operations for which permission isgranted to the subject.
Validity period - A CSSM_ACL_VALIDITY_PERIODstructure containing two elements, the start time and the stop timefor which the ACL entry is valid.
ACL entry tag - A CSSM_STRING containinga user-defined value associated with the ACL entry.
DESCRIPTIONThis function edits the stored ACL controlling login sessionsfor a Cryptographic Service Provider (CSP). The ACL is modifiedaccording to the edit mode and information provided in AclEdit.
The caller must have a login session in process and must beauthorized to modify the target ACL. Caller authentication and authorizationto edit the ACL is determined based on the caller-provided AccessCred.
The caller must be authorized to add, delete, or replace theACL entries controlling login to the CSP. When adding or replacingan ACL entry, the service provider must reject the creation of duplicateACL entries.
When adding a new ACL entry to an ACL, the caller must providea complete ACL entry prototype. All ACL entry items, except theACL entry Subject, must be provided as an immediate value in AclEdit.NewEntry. TheACL entry Subject can be provided as an immediate value, from averifier with a protected data path, from an external authenticationor authorization service, or through a callback function specifiedin AclEdit.NewEntry.Callback.
RETURN VALUEA CSSM_RETURN value indicating success or specifying a particularerror condition. The value CSSM_OK indicates success. All othervalues represent an error condition. ERRORSErrors are described in the CDSA Technical Standard.
HP Open Source Security for OpenVMS Volume 1:... 
API Functions
