The [AccessCheck] function need to be used.
[GetEffectiveRightsFromAcl] takes into account just static TRUSTEE and ACL info (out of execution context)
"The GetEffectiveRightsFromAcl function does not consider the following:
- Implicitly granted access rights, such as READ_CONTROL and WRITE_DAC, for the owner of an object when determining effective rights.
- Privileges held by the trustee when determining effective access rights.
- =>>Group rights associated with the logon session, such as interactive, network, authenticated users, and so forth, in determining effective access rights.<==
- Resource manager policy. For example, for file objects, Delete and Read attributes can be provided by the parent even if they have been denied on the object."
The selection is the bug source.