Export (0) Print
Expand All

2.5.1.1 Syntax

An SDDL string is a single sequence of characters. The format may be ANSI or Unicode; the actual protocol MUST specify the character set that is used. Regardless of the character set used, the possible characters that may be used are alphanumeric and punctuation.

The format for an SDDL string is described by the following ABNF (as specified in [RFC5234]) grammar, where the elements are as shown here.<65>

sddl = [owner-string]  [group-string]  [dacl-string]  [sacl-string]

owner-string = "O:"  sid-string

group-string = "G:"  sid-string

dacl-string = "D:"  [acl-flag-string]  [aces]

sacl-string = "S:"  [acl-flag-string]  [aces]

sid-string = sid-token / sid-value

sid-value = SID;defined in section 2.4.2.1   

sid-token = "DA"/ "DG" / "DU" / "ED" / "DD" / "DC" / "BA" / "BG" / "BU" / 
"LA" / "LG" / "AO" / "BO" / "PO" / "SO" / "AU" / "PS" / "CO" / "CG" / "SY" / 
"PU" / "WD" / "RE" / "IU" / "NU" / "SU" / "RC" / "WR" / "AN" / "SA" / "CA" / 
"RS" / "EA" / "PA" / "RU" / "LS" / "NS" / "RD" / "NO" / "MU" / "LU" / "IS" / 
"CY" / "OW" / "ER" / "RO" / "CD" / "AC" / "RA" / "ES" / "MS" / "UD" / "HA" / 
"CN" / "AA" / "RM" / "LW" / "ME" /"MP" /  "HI" / "SI"

acl-flag-string = *acl-flag

acl-flag = "P" / "AR" / "AI"

aces = *(ace / conditional-ace / resource-attribute-ace)

ace = "(" ace-type ";" [ace-flag-string] ";" ace-rights ";" 
[object-guid] ";" [inherit-object-guid] ";" sid-string ")"

ace-type = "A" / "D" / "OA" / "OD" / "AU" / "OU" / "ML" / "SP"

conditional-ace = "(" conditional-ace-type ";" [ace-flag-string] ";" ace-rights 
";" [object-guid] ";" [inherit-object-guid] ";" sid-string ";" "(" cond-expr ")" ")"

conditional-ace-type = "XA" / "XD" / "ZA" / "XU"

central-policy-ace = "(" "SP" ";" [ace-flag-string] ";;;;" capid-value-sid")"

capid-value-sid = "S-1-17-" 1*SubAuthority 
  ; SubAuthority defined in section 2.4.2.1   

resource-attribute-ace = "(" "RA" ";" [ace-flag-string] ";;;;" ( "WD" / 
"S-1-1-0" ) ";(" attribute-data "))"

attribute-data = DQUOTE 1*attr-char2 DQUOTE "," ( TI-attr / TU-attr / TS-attr / 
TD-attr / TX-attr / TB-attr )

TI-attr = "TI" "," attr-flags *("," int-64)

TU-attr = "TU" "," attr-flags *("," uint-64)

TS-attr = "TS" "," attr-flags *("," char-string)

TD-attr = "TD" "," attr-flags *("," sid-string)

TX-attr = "TX" "," attr-flags *("," octet-string)

TB-attr = "TB" "," attr-flags *("," ( "0" / "1" ) )

attr-flags = "0x" ([*4HEXDIG  "00"] sys-attr-flags / *"0" sys-attr-flags / 
*"0" HEXDIG)

sys-attr-flags = ( "0"/ "1" / "2" / "3" ) HEXDIG

ace-flag-string = ace-flag  ace-flag-string / ""

ace-flag = "CI" / "OI" / "NP" / "IO" / "ID" / "SA" / "FA"

ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / 
(1*DIGIT )
  ; numeric values must fit within 64 bits

text-rights-string = generic-rights-string / standard-rights-string / 
object-specific-rights-string

generic-rights-string = generic-right / generic-rights-string / ""

generic-right = "GA" / "GW" / "GR" / "GX"

standard-rights-string = standard-right / standard-rights-string / ""

standard-right = "WO" / "WD" / "RC" / "SD"

object-specific-rights-string = object-specific-right / object-specific-
rights-string / ""

object-specific-right = <any object-specific right, for objects like files, 
registry keys, directory objects, and others>

guid = "" / 8HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 12HEXDIG

; The second option is the GUID of the object in the form 
; "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" Where each "X" is a Hex digit

object-guid = guid

inherit-object-guid = guid

wspace = 1*(%x09-0D / %x20)

term = [wspace] (memberof-op / exists-op / rel-op / contains-op / anyof-op / attr-name 
/ rel-op2) [wspace]

cond-expr = term / term [wspace] ("||" / "&&" ) [wspace] cond-expr / (["!"] [wspace] 
"(" cond-expr ")")
memberof-op = ( "Member_of" / "Not_Member_of" / "Member_of_Any" / 
"Not_Member_of_Any" / "Device_Member_of" / "Device_Member_of_Any" / 
"Not_Device_Member_of" / "Not_Device_Member_of_Any" ) wspace sid-array

exists-op = ( "Exists" / "Not_exists") wspace attr-name

rel-op = attr-name [wspace] ("<" / "<=" / ">" / ">=") [wspace] (attr-name2 / value) 
  ; only scalars
rel-op2 = attr-name [wspace] ("==" / "!=") [wspace] ( attr-name2 / value-array )
  ; scalar or list
contains-op = attr-name wspace ("Contains" / "Not_Contains") wspace (attr-name2 / value-array)

anyof-op = attr-name wspace ("Any_of" / "Not_Any_of") wspace (attr-name2 / value-array)

attr-name1 = attr-char1 *(attr-char1 / "@")              
  ; old simple name
attr-char1 = 1*(ALPHA / DIGIT / ":" / "." / "/" / "_")

attr-name2 = ("@user." / "@device." / "@resource.") 1*attr-char2 
  ; new prefixed name form

attr-char2 = attr-char1 / lit-char

attr-name = attr-name1 / attr-name2                       
  ; either name form

sid-array = literal-SID [wspace] / "{" [wspace] literal-SID [wspace] *( "," [wspace] literal-SID [wspace]) "}"

literal-SID = "SID(" sid-string ")"

value-array = value [wspace] / "{" [wspace] value [wspace] *("," [wspace] value [wspace]) "}"

value = int-64 / char-string / octet-string

int-64 = ["+" / "-"] ("0x" 1*HEXDIG) / ("0" 1*%x30-37) / 1*DIGIT
  ; values must fit within 64 bits in two’s complement form

uint-64 = ("0x" 1*HEXDIG) / ("0" 1*%x30-37) / 1*DIGIT  
  ; values must fit within 64 bits

char-string = DQUOTE *(CHAR) DQUOTE

octet-string = "#" *(2HEXDIG)

lit-char = "#" / "$" / "'" / "*" / "+" / "-" / "." / "/" / ":" / ";" / "?" / 
"@" / "[" / "\" / "]" / "^" / "_" / "`" / "{" / "}" / "~" / %x0080-FFFF / 
( "%" 4HEXDIG)
  ; 4HEXDIG can have any value except 0000 (NULL)


sid-token: An abbreviated form of a well-known SID, per the following table.

SDDL alias

Well-Known SID name

"DA"

DOMAIN_ADMINS

"DG"

DOMAIN_GUESTS

"DU"

DOMAIN_USERS

"ED"

ENTERPRISE_DOMAIN_CONTROLLERS

"DD"

DOMAIN DOMAIN CONTROLLERS

"DC"

DOMAIN_COMPUTERS

"BA"

BUILTIN_ADMINISTRATORS

"BG"

BUILTIN_GUESTS

"BU"

BUILTIN_USERS

"LA"

ADMINISTRATOR

"LG"

GUEST

"AO"

ACCOUNT_OPERATORS

"BO"

BACKUP_OPERATORS

"PO"

PRINTER_OPERATORS

"SO"

SERVER_OPERATORS

"AU"

AUTHENTICATED_USERS

"PS"

PRINCIPAL_SELF

"CO"

CREATOR_OWNER

"CG"

CREATOR_GROUP

"SY"

LOCAL_SYSTEM

"PU"

POWER_USERS

"WD"

EVERYONE

"RE"

REPLICATOR

"IU"

INTERACTIVE

"NU"

NETWORK

"SU"

SERVICE

"RC"

RESTRICTED_CODE

"WR"

WRITE_RESTRICTED_CODE

"AN"

ANONYMOUS

"SA"

SCHEMA_ADMINISTRATORS

"CA"

CERT_PUBLISHERS

"RS"

RAS_SERVERS

"EA"

ENTERPRISE_ADMINS

"PA"

GROUP_POLICY_CREATOR_OWNER

"RU"

ALIAS_PREW2KCOMPACC

"LS"

LOCAL_SERVICE

"NS"

NETWORK_SERVICE

"RD"

REMOTE_DESKTOP

"NO"

NETWORK_CONFIGURATION_OPS

"MU"

PERFMON USERS

"LU"

PERFLOG USERS

"IS"

IIS USERS

"CY"

CRYPTO OPERATORS

"OW"

OWNER_RIGHTS

"ER"

EVENT LOG READERS

"RO"

ENTERPRISE RO DCS

"CD"

CERTSVC DCOM ACCESS

"AC"

ALL APP PACKAGES

"RA"

REMOTE ACCESS SERVERS

"ES"

RDS ENDPOINT SERVERS

"MS"

RDS MANAGEMENT SERVERS

"UD"

USER MODE DRIVERS

"HA"

HYPER V ADMINS

"CN"

CLONEABLE CONTROLLERS

"AA"

ACCESS CONTROL ASSISTANCE OPS

"RM"

REMOTE_MANAGEMENT_USERS

"LW"

ML_LOW

"ME"

ML_MEDIUM

"MP"

ML MEDIUM PLUS

"HI"

ML_HIGH

"SI"

ML_SYSTEM

acl-flag: Flags for the SECURITY_DESCRIPTOR structure, context dependent on whether a SACL or DACL is being processed. These flags are derived from the SECURITY_DESCRIPTOR Control flags specified in section 2.4.6. "P" indicates Protected PS or PD flags from that section, "AR" corresponds to SC or DC, and "AI" indicates SI or DI.

ace-type: String that indicates the type of ACE that is being presented.

String

ACE type

"A"

Access Allowed

"D"

Access Denied

"AU"

Audit

"OA"

Object Access Allowed

"OD"

Object Access Denied

"OU"

Object Audit

"ML"

Mandatory Label

"SP"

Central Policy ID

conditional-ace-type: String that indicates the type of SDDL-supported conditional ACE that is being presented.<66>

String

ACE type

Numeric value

"XA"

Access Allowed Callback

0x9

"XD"

Access Denied Callback

0xA

"XU"

Access Allowed Object Callback

0xB

"ZA"

Audit Callback

0xD

central-policy-ace: An ACE type that identifies a central policy to be applied to the resource. Also called a SYSTEM_SCOPED_POLICY_ID ACE (see section 2.4.4.16).<67>

capid-value-sid: A SID with an Authority value of 17 that refers to a CentralAccessPolicy within a CentralAccessPolicysList ([MS-GPCAP] section 3.2.1.2).<68>

resource-attribute-ace: An ACE type that defines a resource attribute (sometimes referred to as a resource property or resource claim.) See section 2.4.4.15.<69>

attribute-data: A string specifying the name of a resource attribute and data defining the type and value of the attribute. A resource attribute type can be identified with one of the following strings:<70>

String

Resource Attribute Type

"TI"

64-bit Integer

"TU"

Unsigned 64-bit integer

"TS"

String of Unicode characters

"TD"

A SID in string form

"TX"

A string of single byte (octet) values

"TB"

A string containing a Boolean value represented by a "1" (True) or a "0" (False.)

attr-flags: A 32-bit number containing flag values within a resource attribute. The bits 16-31 can contain custom values. Bits 0 through 15 are specified by sys-attr-flags.

sys-attr-flags: A two-byte integer that MAY be zero or any combination of the hexadecimal flag values of the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structure (section 2.4.10.1)

ace-flag-string: A set of ACE flags that define the behavior of the ACE. The strings correlate exactly to the flags as specified in section 2.4.4.1.

generic-rights-string: A set of generic user rights used to perform generic mappings to object-specific rights.

String

Access right

Hex value

"GR"

Generic Read

0x80000000

"GW"

Generic Write

0x40000000

"GX"

Generic Execute

0x20000000

"GA"

Generic All

0x10000000

standard-rights-string: A set of SDDL-supported standard user rights.

String

Access right

Hex value

"WO"

Write Owner

0x00080000

"WD"

Write DAC

0x00040000

"RC"

Read Control

0x00020000

"SD"

Delete

0x00010000

object-specific-rights-string: A set of object-specific rights; some common ones are shown, but the reader should consult a specific protocol for applicable values, if any, in that protocol.

String

Object type

Access right

Hex value

"FA"

File

File All Access

0x001F01FF

"FX"

File

File Execute

0x001200A0

"FW"

File

File Write

0x00100116

"FR"

File

File Read

0x00120089

"KA"

Registry Key

Key All Access

0x00000019

"KR"

Registry Key

Key Read

0x0000003F

"KX"

Registry Key

Key Execute

0x00000019

"KW"

Registry Key

Key Write

0x00000006

"CR"

Directory Object

Control Access

0x00000100

"LO"

Directory Object

List Object

0x00000080

"DT"

Directory Object

Delete Tree

0x00000040

"WP"

Directory Object

Write Property

0x00000020

"RP"

Directory Object

Read Property

0x00000010

"SW"

Directory Object

Self Write

0x00000008

"LC"

Directory Object

List Children

0x00000004

"DC"

Directory Object

Delete Child

0x00000002

"CC"

Directory Object

Create Child

0x00000001

term: A string specifying a stand-alone logical expression, which is the simplest form of conditional expression, or a part of a more complex conditional expression.

cond-expr: A conditional expression in textual form. Conditional expressions are specified in section 2.4.4.17.

memberof-op: A string identifying a Member_of type of operator as described in section 2.4.4.17.6. <71>

exists-op: A string identifying an exists type operator as described in section 2.4.4.17.7.

rel-op: A string specifying a binary relational operation containing an attribute name or reference, one of the following relational operators, "==" , "!=" , "<" , "<=" , ">" , ">=" (without quotes) identifying a relational operator as described in section 2.4.4.17.6, and an attribute name or literal value.

rel-op2: A string specifying a binary operator for certain operators that support set comparisons. The string contains an attribute name, a string specifying the operator, "==" or "!=", and a string specifying an array of values (value-array).<72>

contains-op: A string specifying a relational operator term using a Contains or Not_Contains operator.<73>

anyof-op: A string specifying a relational operator term using an Any_of or Not_Any_of operator.<74>

sid-array: A string representation of an array of string SIDs.

literal-SID: A string specifying a literal SID. A literal-SID MUST be prefixed by the string "SID" followed by a sid-value enclosed in parentheses.

attr-name1: A string representing a valid attribute name in simple form.<75> An attribute name in simple form MUST not begin with the "@" character and MUST be comprised only of characters defined by attr-char1. An example of an attribute in simple form is "Title" (without quotes.) See section 2.5.1.2.1.

attr-name2: A string representing a valid attribute name in @Prefixed form. An attribute name is in @Prefixed form when it is prefixed with the string "@User.", "@Device.", or "@Resource." and is comprised only of characters defined by attr-char2. An example of an attribute in @Prefixed form is "@User.Title" (without quotes.) See section 2.5.1.2.2.<76>

attr-char1: A character valid for use in an attribute name in simple form. Valid characters include any ALPHA or DIGIT (as specified in [RFC5234]) or any of the following: ":", ".", "/", "_".

attr-char2: A character valid for use in an attribute name in @Prefixed form. Valid characters include all ASCII and UNICODE characters of the range 0x0-0xFFFF. Characters MAY be encoded either as literals or be encoded with a five-character sequence %XXXX, where XXXX are hexadecimal digits that represent the corresponding 16-bit Unicode value of the character with the following exceptions:

  1. The following characters: "!", "&", "(", ")", ">", "<", "=", "|", "%", SP (space) and DQUOTE (as specified in [RFC5234]) MUST be encoded in the preceding five-character sequence.

  2. The following characters MUST be encoded as literals: "#", "$", "'", "*", "+", "-", ".", "/", ":", ";", "?", "@", "[", "\", "]", "^", "_", "`", "{", "}", "~" and any characters in the ASCII ranges 0x41-0x5A (A-Z), 0x61-0x7A (a-z) and 0x30-0x39 (0-9.)

value-array: A string specifying an array of values. A value-array may be a single value or a set of one or more comma-delineated values where the entire set of values is enclosed between the "{" and "}" symbols.

 
Show:
© 2014 Microsoft