The security descriptor definition language (SDDL) uses ACE strings in the DACL and SACL components of a security descriptor string.
As shown in the Security Descriptor String Format examples, each ACE in a security descriptor string is enclosed in parentheses. The fields of the ACE are in the following order and are separated by semicolons (;).
Note There is a different format for conditional access control entries (ACEs) than other ACE types. For conditional ACEs, see Security Descriptor Definition Language for Conditional ACEs.
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;(resource_attribute)
Fields
-
ace_type
-
A string that indicates the value of the AceType member of the ACE_HEADER structure. The ACE type string can be one of the following strings defined in Sddl.h.
ACE type string Constant in Sddl.h AceType value "A" SDDL_ACCESS_ALLOWED ACCESS_ALLOWED_ACE_TYPE "D" SDDL_ACCESS_DENIED ACCESS_DENIED_ACE_TYPE "OA" SDDL_OBJECT_ACCESS_ALLOWED ACCESS_ALLOWED_OBJECT_ACE_TYPE "OD" SDDL_OBJECT_ACCESS_DENIED ACCESS_DENIED_OBJECT_ACE_TYPE "AU" SDDL_AUDIT SYSTEM_AUDIT_ACE_TYPE "AL" SDDL_ALARM SYSTEM_ALARM_ACE_TYPE "OU" SDDL_OBJECT_AUDIT SYSTEM_AUDIT_OBJECT_ACE_TYPE "OL" SDDL_OBJECT_ALARM SYSTEM_ALARM_OBJECT_ACE_TYPE "ML" SDDL_MANDATORY_LABEL SYSTEM_MANDATORY_LABEL_ACE_TYPE "XA" SDDL_CALLBACK_ACCESS_ALLOWED ACCESS_ALLOWED_CALLBACK_ACE_TYPE Windows Vista and Windows Server 2003: Not available.
"XD" SDDL_CALLBACK_ACCESS_DENIED ACCESS_DENIED_CALLBACK_ACE_TYPE Windows Vista and Windows Server 2003: Not available.
"RA" SDDL_RESOURCE_ATTRIBUTE SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003: Not available.
"SP" SDDL_SCOPED_POLICY_ID SYSTEM_SCOPED_POLICY_ID_ACE_TYPE Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003: Not available.
"XU" SDDL_CALLBACK_AUDIT SYSTEM_AUDIT_CALLBACK_ACE_TYPE Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003: Not available.
"ZA" SDDL_CALLBACK_OBJECT_ACCESS_ALLOWED ACCESS_ALLOWED_CALLBACK_ACE_TYPE Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003: Not available.
Note If ace_type is ACCESS_ALLOWED_OBJECT_ACE_TYPE and neither object_guid nor inherit_object_guid has a GUID specified, thenConvertStringSecurityDescriptorToSecurityDescriptor converts ace_type to ACCESS_ALLOWED_ACE_TYPE.
ace_flags
-
A string that indicates the value of the AceFlags member of the ACE_HEADER structure. The ACE flags string can be a concatenation of the following strings defined in Sddl.h.
ACE flags string Constant in Sddl.h AceFlag value "CI" SDDL_CONTAINER_INHERIT CONTAINER_INHERIT_ACE "OI" SDDL_OBJECT_INHERIT OBJECT_INHERIT_ACE "NP" SDDL_NO_PROPAGATE NO_PROPAGATE_INHERIT_ACE "IO" SDDL_INHERIT_ONLY INHERIT_ONLY_ACE "ID" SDDL_INHERITED INHERITED_ACE "SA" SDDL_AUDIT_SUCCESS SUCCESSFUL_ACCESS_ACE_FLAG "FA" SDDL_AUDIT_FAILURE FAILED_ACCESS_ACE_FLAG
rights
-
A string that indicates the access rights controlled by the ACE. This string can be a hexadecimal string representation of the access rights, such as "0x7800003F", or it can be a concatenation of the following strings.
Access rights string Constant in Sddl.h Access right value Generic access rights
"GA" SDDL_GENERIC_ALL GENERIC_ALL "GR" SDDL_GENERIC_READ GENERIC_READ "GW" SDDL_GENERIC_WRITE GENERIC_WRITE "GX" SDDL_GENERIC_EXECUTE GENERIC_EXECUTE Standard access rights
"RC" SDDL_READ_CONTROL READ_CONTROL "SD" SDDL_STANDARD_DELETE DELETE "WD" SDDL_WRITE_DAC WRITE_DAC "WO" SDDL_WRITE_OWNER WRITE_OWNER Directory service object access rights
"RP" SDDL_READ_PROPERTY ADS_RIGHT_DS_READ_PROP "WP" SDDL_WRITE_PROPERTY ADS_RIGHT_DS_WRITE_PROP "CC" SDDL_CREATE_CHILD ADS_RIGHT_DS_CREATE_CHILD "DC" SDDL_DELETE_CHILD ADS_RIGHT_DS_DELETE_CHILD "LC" SDDL_LIST_CHILDREN ADS_RIGHT_ACTRL_DS_LIST "SW" SDDL_SELF_WRITE ADS_RIGHT_DS_SELF "LO" SDDL_LIST_OBJECT ADS_RIGHT_DS_LIST_OBJECT "DT" SDDL_DELETE_TREE ADS_RIGHT_DS_DELETE_TREE "CR" SDDL_CONTROL_ACCESS ADS_RIGHT_DS_CONTROL_ACCESS File access rights
"FA" SDDL_FILE_ALL FILE_ALL_ACCESS "FR" SDDL_FILE_READ FILE_GENERIC_READ "FW" SDDL_FILE_WRITE FILE_GENERIC_WRITE "FX" SDDL_FILE_EXECUTE FILE_GENERIC_EXECUTE Registry key access rights
"KA" SDDL_KEY_ALL KEY_ALL_ACCESS "KR" SDDL_KEY_READ KEY_READ "KW" SDDL_KEY_WRITE KEY_WRITE "KX" SDDL_KEY_EXECUTE KEY_EXECUTE Mandatory label rights
"NR" SDDL_NO_READ_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP "NW" SDDL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_WRITE_UP "NX" SDDL_NO_EXECUTE_UP SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
object_guid
-
A string representation of a GUID that indicates the value of the ObjectType member of an object-specific ACE structure, such as ACCESS_ALLOWED_OBJECT_ACE. The GUID string uses the format returned by the UuidToString function.
The following table lists some commonly used object GUIDs.
Rights and GUID Permission CR;ab721a53-1e2f-11d0-9819-00aa0040529b Change password CR;00299570-246d-11d0-a768-00aa006e0529 Reset password
inherit_object_guid
-
A string representation of a GUID that indicates the value of the InheritedObjectType member of an object-specific ACE structure. The GUID string uses theUuidToString format.
account_sid
-
SID string that identifies the trustee of the ACE.
resource_attribute
-
[OPTIONAL] The resource_attribute is only for resource ACEs and is optional. A string that indicates the data type. The resource attribute ace data type can be one of the following data types defined in Sddl.h.
The "#" sign is synonymous with "0" in resource attributes. For example, D:AI(XA;OICI;FA;;;WD;(OctetStringType==#1#2#3##)) is equivalent to and interpreted as D:AI(XA;OICI;FA;;;WD;(OctetStringType==#01020300)).
Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2003: Resource attributes are not available.
Resource attribute ace data type string Constant in Sddl.h Data type "TI" SDDL_INT Signed integer "TU" SDDL_UINT Unsigned integer "TS" SDDL_WSTRING Wide string "TD" SDDL_SID SID "TX" SDDL_BLOB Octet string "TB" SDDL_BOOLEAN Boolean
The following example shows an ACE string for an access-allowed ACE. It is not an object-specific ACE, so it has no information in the object_guid and inherit_object_guidfields. The ace_flags field is also empty, which indicates that none of the ACE flags are set.
(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)
The ACE string shown above describes the following ACE information.
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE) AceFlags: 0x00 Access Mask: 0x100e003f READ_CONTROL WRITE_DAC WRITE_OWNER GENERIC_ALL Other access rights(0x0000003f) Ace Sid : (S-1-0-0)
The following example shows a file classified with resource claims for Windows and Structured Query Language (SQL) with Secrecy set to High Business Impact.
(RA;CI;;;;S-1-0-0; ("Project",TS,0,"Windows","SQL")) (RA;CI;;;;S-1-0-0; ("Secrecy",TU,0,3))
The ACE string shown above describes the following ACE information.
AceType: 0x12 (SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE) AceFlags: 0x1 (SDDL_CONTAINER_INHERIT) Access Mask: 0x0 Ace Sid : (S-1-0-0) Resource Attributes: Project has the strings Windows and SQL, Secrecy has the unsigned int value of 3
For more information, see Security Descriptor String Format and SID Strings. For conditional ACEs, see Security Descriptor Definition Language for Conditional ACEs.
Related topics