ACE Strings
The security descriptor definition language (SDDL) uses ACE strings in the DACL and SACL components of a security descriptor string.
As shown in the Security Descriptor String Format examples, each ACE in a security descriptor string is enclosed in parentheses. The fields of the ACE are in the following order and are separated by semicolons (;).
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
Fields
- ace_type
-
A string that indicates the value of the AceType member of the ACE_HEADER structure. The ACE type string can be one of the following strings defined in Sddl.h.
ACE type string Constant in Sddl.h AceType value "A" SDDL_ACCESS_ALLOWED ACCESS_ALLOWED_ACE_TYPE "D" SDDL_ACCESS_DENIED ACCESS_DENIED_ACE_TYPE "OA" SDDL_OBJECT_ACCESS_ALLOWED ACCESS_ALLOWED_OBJECT_ACE_TYPE "OD" SDDL_OBJECT_ACCESS_DENIED ACCESS_DENIED_OBJECT_ACE_TYPE "AU" SDDL_AUDIT SYSTEM_AUDIT_ACE_TYPE "AL" SDDL_ALARM SYSTEM_ALARM_ACE_TYPE "OU" SDDL_OBJECT_AUDIT SYSTEM_AUDIT_OBJECT_ACE_TYPE "OL" SDDL_OBJECT_ALARM SYSTEM_ALARM_OBJECT_ACE_TYPE "ML" SDDL_MANDATORY_LABEL SYSTEM_MANDATORY_LABEL_ACE Note If ace_type is ACCESS_ALLOWED_OBJECT_ACE_TYPE and neither object_guid nor inherit_object_guid has a GUID specified, then ConvertStringSecurityDescriptorToSecurityDescriptor converts ace_type to ACCESS_ALLOWED_ACE_TYPE.
- ace_flags
-
A string that indicates the value of the AceFlags member of the ACE_HEADER structure. The ACE flags string can be a concatenation of the following strings defined in Sddl.h.
ACE flags string Constant in Sddl.h AceFlag value "CI" SDDL_CONTAINER_INHERIT CONTAINER_INHERIT_ACE "OI" SDDL_OBJECT_INHERIT OBJECT_INHERIT_ACE "NP" SDDL_NO_PROPAGATE NO_PROPAGATE_INHERIT_ACE "IO" SDDL_INHERIT_ONLY INHERIT_ONLY_ACE "ID" SDDL_INHERITED INHERITED_ACE "SA" SDDL_AUDIT_SUCCESS SUCCESSFUL_ACCESS_ACE_FLAG "FA" SDDL_AUDIT_FAILURE FAILED_ACCESS_ACE_FLAG - rights
-
A string that indicates the access rights controlled by the ACE. This string can be a hexadecimal string representation of the access rights, such as "0x7800003F", or it can be a concatenation of the following strings.
Access rights string Constant in Sddl.h Access right value Generic access rights
"GA" SDDL_GENERIC_ALL GENERIC_ALL "GR" SDDL_GENERIC_READ GENERIC_READ "GW" SDDL_GENERIC_WRITE GENERIC_WRITE "GX" SDDL_GENERIC_EXECUTE GENERIC_EXECUTE Standard access rights
"RC" SDDL_READ_CONTROL READ_CONTROL "SD" SDDL_STANDARD_DELETE DELETE "WD" SDDL_WRITE_DAC WRITE_DAC "WO" SDDL_WRITE_OWNER WRITE_OWNER Directory service object access rights
"RP" SDDL_READ_PROPERTY ADS_RIGHT_DS_READ_PROP "WP" SDDL_WRITE_PROPERTY ADS_RIGHT_DS_WRITE_PROP "CC" SDDL_CREATE_CHILD ADS_RIGHT_DS_CREATE_CHILD "DC" SDDL_DELETE_CHILD ADS_RIGHT_DS_DELETE_CHILD "LC" SDDL_LIST_CHILDREN ADS_RIGHT_ACTRL_DS_LIST "SW" SDDL_SELF_WRITE ADS_RIGHT_DS_SELF "LO" SDDL_LIST_OBJECT ADS_RIGHT_DS_LIST_OBJECT "DT" SDDL_DELETE_TREE ADS_RIGHT_DS_DELETE_TREE "CR" SDDL_CONTROL_ACCESS ADS_RIGHT_DS_CONTROL_ACCESS File access rights
"FA" SDDL_FILE_ALL FILE_ALL_ACCESS "FR" SDDL_FILE_READ FILE_GENERIC_READ "FW" SDDL_FILE_WRITE FILE_GENERIC_WRITE "FX" SDDL_FILE_EXECUTE FILE_GENERIC_EXECUTE Registry key access rights
"KA" SDDL_KEY_ALL KEY_ALL_ACCESS "KR" SDDL_KEY_READ KEY_READ "KW" SDDL_KEY_WRITE KEY_WRITE "KX" SDDL_KEY_EXECUTE KEY_EXECUTE Mandatory label rights
"NR" SDDL_NO_READ_UP SYSTEM_MANDATORY_LABEL_NO_READ_UP "NW" SDDL_NO_WRITE_UP SYSTEM_MANDATORY_LABEL_NO_WRITE_UP "NX" SDDL_NO_EXECUTE_UP SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP - object_guid
-
A string representation of a GUID that indicates the value of the ObjectType member of an object-specific ACE structure, such as ACCESS_ALLOWED_OBJECT_ACE. The GUID string uses the format returned by the UuidToString function.
The following table lists some commonly used object GUIDs.
Rights and GUID Permission CR;ab721a53-1e2f-11d0-9819-00aa0040529b Change password CR;00299570-246d-11d0-a768-00aa006e0529 Reset password - inherit_object_guid
-
A string representation of a GUID that indicates the value of the InheritedObjectType member of an object-specific ACE structure. The GUID string uses the UuidToString format.
- account_sid
-
SID string that identifies the trustee of the ACE.
The following example shows an ACE string for an access-allowed ACE. It is not an object-specific ACE, so it has no information in the object_guid and inherit_object_guid fields. The ace_flags field is also empty, which indicates that none of the ACE flags are set.
(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)
The ACE string shown above describes the following ACE information.
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceFlags: 0x00
Access Mask: 0x100e003f
READ_CONTROL
WRITE_DAC
WRITE_OWNER
GENERIC_ALL
Other access rights(0x0000003f)
Ace Sid : (S-1-0-0)
For more information, see Security Descriptor String Format and SID Strings.
Send comments about this topic to Microsoft
Build date: 11/15/2011
WO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
the account_sid field has AU. What does that mean? The only AU described here is SYSTEM_AUDIT_ACE_TYPE. All of the ACEs here are like that.
Answer: Here "AU" is not the ACE type (SYSTEM_AUDIT_ACE_TYPE) but the trustee "Authenticated users" (SECURITY_AUTHENTICATED_USER_RID).
CC SERVICE_QUERY_CONFIG
DC SERVICE_CHANGE_CONFIG
LC SERVICE_QUERY_STATUS
SW SERVICE_ENUMERATE_DEPENDENTS
RP SERVICE_START
WP SERVICE_STOP
DT SERVICE_PAUSE_CONTINUE
LO SERVICE_INTERROGATE
CR SERVICE_USER_DEFINED_CONTROL
SD _DELETE
RC READ_CONTROL
WD WRITE_DAC
WO WRITE_OWNER
- 1/26/2011
- Eugene Donin
- 1/26/2011
- Eugene Donin
Why NR stand for NO_WRITE_UP and NW stand for NO_READ_UP?
"NR"
SDDL_NO_WRITE_UP
SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
"NW"
SDDL_NO_READ_UP
SYSTEM_MANDATORY_LABEL_NO_READ_UP
- 2/4/2010
- Jiezhong Mo
