ACE Strings
ACE Strings

The security descriptor definition language (SDDL) uses ACE strings in the DACL and SACL components of a security descriptor string.

As shown in the Security Descriptor String Format examples, each ACE in a security descriptor string is enclosed in parentheses. The fields of the ACE are in the following order and are separated by semicolons (;).


ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

Fields

ace_type

A string that indicates the value of the AceType member of the ACE_HEADER structure. The ACE type string can be one of the following strings defined in Sddl.h.

ACE type string Constant in Sddl.h AceType value
"A" SDDL_ACCESS_ALLOWED ACCESS_ALLOWED_ACE_TYPE
"D" SDDL_ACCESS_DENIED ACCESS_DENIED_ACE_TYPE
"OA" SDDL_OBJECT_ACCESS_ALLOWED ACCESS_ALLOWED_OBJECT_ACE_TYPE
"OD" SDDL_OBJECT_ACCESS_DENIED ACCESS_DENIED_OBJECT_ACE_TYPE
"AU" SDDL_AUDIT SYSTEM_AUDIT_ACE_TYPE
"AL" SDDL_ALARM SYSTEM_ALARM_ACE_TYPE
"OU" SDDL_OBJECT_AUDIT SYSTEM_AUDIT_OBJECT_ACE_TYPE
"OL" SDDL_OBJECT_ALARM SYSTEM_ALARM_OBJECT_ACE_TYPE
"ML"SDDL_MANDATORY_LABELSYSTEM_MANDATORY_LABEL_ACE

 

Note  If ace_type is ACCESS_ALLOWED_OBJECT_ACE_TYPE and neither object_guid nor inherit_object_guid has a GUID specified, then ConvertStringSecurityDescriptorToSecurityDescriptor converts ace_type to ACCESS_ALLOWED_ACE_TYPE.

ace_flags

A string that indicates the value of the AceFlags member of the ACE_HEADER structure. The ACE flags string can be a concatenation of the following strings defined in Sddl.h.

ACE flags string Constant in Sddl.h AceFlag value
"CI" SDDL_CONTAINER_INHERIT CONTAINER_INHERIT_ACE
"OI" SDDL_OBJECT_INHERIT OBJECT_INHERIT_ACE
"NP" SDDL_NO_PROPAGATE NO_PROPAGATE_INHERIT_ACE
"IO" SDDL_INHERIT_ONLY INHERIT_ONLY_ACE
"ID" SDDL_INHERITED INHERITED_ACE
"SA" SDDL_AUDIT_SUCCESS SUCCESSFUL_ACCESS_ACE_FLAG
"FA" SDDL_AUDIT_FAILURE FAILED_ACCESS_ACE_FLAG

 

rights

A string that indicates the access rights controlled by the ACE. This string can be a hexadecimal string representation of the access rights, such as "0x7800003F", or it can be a concatenation of the following strings.

Access rights string Constant in Sddl.h Access right value

Generic access rights

"GA" SDDL_GENERIC_ALL GENERIC_ALL
"GR" SDDL_GENERIC_READ GENERIC_READ
"GW" SDDL_GENERIC_WRITE GENERIC_WRITE
"GX" SDDL_GENERIC_EXECUTE GENERIC_EXECUTE

Standard access rights

"RC" SDDL_READ_CONTROL READ_CONTROL
"SD" SDDL_STANDARD_DELETE DELETE
"WD" SDDL_WRITE_DAC WRITE_DAC
"WO" SDDL_WRITE_OWNER WRITE_OWNER

Directory service object access rights

"RP" SDDL_READ_PROPERTY ADS_RIGHT_DS_READ_PROP
"WP" SDDL_WRITE_PROPERTY ADS_RIGHT_DS_WRITE_PROP
"CC" SDDL_CREATE_CHILD ADS_RIGHT_DS_CREATE_CHILD
"DC" SDDL_DELETE_CHILD ADS_RIGHT_DS_DELETE_CHILD
"LC" SDDL_LIST_CHILDREN ADS_RIGHT_ACTRL_DS_LIST
"SW" SDDL_SELF_WRITE ADS_RIGHT_DS_SELF
"LO" SDDL_LIST_OBJECT ADS_RIGHT_DS_LIST_OBJECT
"DT" SDDL_DELETE_TREE ADS_RIGHT_DS_DELETE_TREE
"CR" SDDL_CONTROL_ACCESS ADS_RIGHT_DS_CONTROL_ACCESS

File access rights

"FA" SDDL_FILE_ALL FILE_ALL_ACCESS
"FR" SDDL_FILE_READ FILE_GENERIC_READ
"FW" SDDL_FILE_WRITE FILE_GENERIC_WRITE
"FX" SDDL_FILE_EXECUTE FILE_GENERIC_EXECUTE

Registry key access rights

"KA" SDDL_KEY_ALL KEY_ALL_ACCESS
"KR" SDDL_KEY_READ KEY_READ
"KW" SDDL_KEY_WRITE KEY_WRITE
"KX" SDDL_KEY_EXECUTE KEY_EXECUTE

Mandatory label rights

"NR"SDDL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_WRITE_UP
"NW"SDDL_NO_READ_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP
"NX"SDDL_NO_EXECUTE_UPSYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP

 

object_guid

A string representation of a GUID that indicates the value of the ObjectType member of an object-specific ACE structure, such as ACCESS_ALLOWED_OBJECT_ACE. The GUID string uses the format returned by the UuidToString function.

The following table lists some commonly used object GUIDs.

Rights and GUIDPermission
CR;ab721a53-1e2f-11d0-9819-00aa0040529b Change password
CR;00299570-246d-11d0-a768-00aa006e0529 Reset password

 

inherit_object_guid

A string representation of a GUID that indicates the value of the InheritedObjectType member of an object-specific ACE structure. The GUID string uses the UuidToString format.

account_sid

SID string that identifies the trustee of the ACE.

 

The following example shows an ACE string for an access-allowed ACE. It is not an object-specific ACE, so it has no information in the object_guid and inherit_object_guid fields. The ace_flags field is also empty, which indicates that none of the ACE flags are set.

(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)

The ACE string shown above describes the following ACE information.

AceType:       0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceFlags:      0x00
Access Mask:   0x100e003f
                    READ_CONTROL
                    WRITE_DAC
                    WRITE_OWNER
                    GENERIC_ALL
                    Other access rights(0x0000003f)
Ace Sid      : (S-1-0-0)

For more information, see Security Descriptor String Format and SID Strings.

Send comments about this topic to Microsoft

Build date: 9/11/2009

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Straight Forward for SysAdmins      Khallaf   |   Edit   |   Show History
View/Edit Windows Services System-Level Security
sc.exe sdshow
or
sc.exe sdset
Tags What's this?: Add a tag
Flag as ContentBug
Page view tracker