Security Descriptor Definition Language for Conditional ACEs
A conditional access control entry (ACE) allows an access condition to be evaluated when an access check is performed. The security descriptor definition language (SDDL) provides syntax for defining conditional ACEs in a string format.
The SDDL for a conditional ACE is the same as for any ACE, with the syntax for the conditional statement appended to the end of the ACE string. For information about SDDL, see Security Descriptor Definition Language.
The "#" sign is synonymous with "0" in resource attributes. For example, D:AI(XA;OICI;FA;;;WD;(OctetStringType==#1#2#3##)) is equivalent to and interpreted as D:AI(XA;OICI;FA;;;WD;(OctetStringType==#01020300)).
- Conditional ACE String Format
- Conditional Expressions
- Attributes
- Operators
- Operator Precedence
- Unknown Values
- Conditional ACE Evaluation
- Examples
- Related topics
Conditional ACE String Format
Each ACE in a security descriptor string is enclosed in parentheses. The fields of the ACE are in the following order and are separated by semicolons (;).
AceType**;AceFlags;Rights;ObjectGuid;InheritObjectGuid;AccountSid;(ConditionalExpression)**
The fields are as described in ACE Strings, with the following exceptions.
The AceType field can be one of the following strings.
ACE type string Constant in Sddl.h AceType value "XA" SDDL_CALLBACK_ACCESS_ALLOWED ACCESS_ALLOWED_CALLBACK_ACE_TYPE "XD" SDDL_CALLBACK_ACCESS_DENIED ACCESS_DENIED_CALLBACK_ACE_TYPE The ACE string includes one or more conditional expressions, enclosed in parentheses at the end of the string.
Conditional Expressions
A conditional expression can include any of the following elements.
| Expression element | Description |
|---|---|
| AttributeName |
Tests whether the specified attribute has a nonzero value. |
| exists AttributeName |
Tests whether the specified attribute exists in the client context. |
| AttributeName Operator Value |
Returns the result of the specified operation. |
| ConditionalExpression**||**ConditionalExpression |
Tests whether either of the specified conditional expressions is true. |
| ConditionalExpression && ConditionalExpression |
Tests whether both of the specified conditional expressions are true. |
| !(ConditionalExpression) |
The inverse of a conditional expression. |
| Member_of{SidArray} |
Tests whether the SID_AND_ATTRIBUTES array of the client context contains all of the Security Identifiers (SIDs) in the comma-separated list specified by SidArray. For Allow ACEs, a client context SID must have the SE_GROUP_ENABLED attribute set to be considered a match. For Deny ACEs, a client context SID must have either the SE_GROUP_ENABLED or the SE_GROUP_USE_FOR_DENY_ONLY attribute set to be considered a match. The SidArray array can contain either SID strings (for example, "S-1-5-6") or SID aliases (for example, "BA" |
Attributes
An attribute represents an element in the AUTHZ_SECURITY_ATTRIBUTES_INFORMATION array in the client context. An attribute name can contain any alphanumeric characters and any of the characters ":", "/", ".", and "_".
An attribute value can be any of the following types.
| Value type | Description |
|---|---|
| Integer |
A 64-bit integer in either decimal or hexadecimal notation. |
| String |
A string value delimited by quotes. |
| SID |
SID(S-1-1-0) or SID(BA). Has to be on RHS of Member_of or Device_Member_of. |
| BLOB |
# followed by hexadecimal numbers. If length of the numbers is odd, then the # is translated to a 0 to make it even. Also an # appearing elsewhere in the value is translated to a 0. |
Operators
The following operators are defined for use in conditional expressions to test the values of attributes. All of these are binary operators and used in the form AttributeName Operator Value.
| Operator | Description |
|---|---|
| == |
Conventional definition. |
| != |
Conventional definition. |
| < |
Conventional definition. |
| <= |
Conventional definition. |
| > |
Conventional definition. |
| >= |
Conventional definition. |
| Contains |
TRUE if the value of the specified attribute is a superset of the specified value; otherwise, FALSE. |
| Any_of |
TRUE if the specified value is a superset of the value of the specified attribute; otherwise, FALSE. |
In addition, the unary operators Exists, Member_of, and negation (!) are defined as described in the Conditional Expressions table.
The "Contains" operator must be preceded and followed by white space, and the "Any_of" operator must be preceded by white space.
Operator Precedence
The operators are evaluated in the following order of precedence, with operations of equal precedence being evaluated from left to right.
- Exists, Member_of
- Contains, Any_of
- ==, !=, <, <=, >, >=
- !
- &&
- ||
In addition, any portion of a conditional expression can be enclosed in parentheses. Expressions within parentheses are evaluated first.
Unknown Values
The results of conditional expressions sometimes return a value of Unknown. For example, any of the relational operations return Unknown when the specified attribute does not exist.
The following table describes the results for a logical AND operation between two conditional expressions, ConditionalExpression1 and ConditionalExpression2.
| ConditionalExpression1 | ConditionalExpression2 | ConditionalExpression1 && ConditionalExpression2 |
|---|---|---|
| TRUE |
TRUE |
TRUE |
| TRUE |
FALSE |
FALSE |
| TRUE |
UNKNOWN |
UNKNOWN |
| FALSE |
TRUE |
FALSE |
| FALSE |
FALSE |
FALSE |
| FALSE |
UNKNOWN |
FALSE |
| UNKNOWN |
TRUE |
UNKNOWN |
| UNKNOWN |
FALSE |
FALSE |
| UNKNOWN |
UNKNOWN |
UNKNOWN |
The following table describes the results for a logical OR operation between two conditional expressions, ConditionalExpression1 and ConditionalExpression2.
| ConditionalExpression1 | ConditionalExpression2 | ConditionalExpression1 || ConditionalExpression2 |
|---|---|---|
| TRUE |
TRUE |
TRUE |
| TRUE |
FALSE |
TRUE |
| TRUE |
UNKNOWN |
TRUE |
| FALSE |
TRUE |
TRUE |
| FALSE |
FALSE |
FALSE |
| FALSE |
UNKNOWN |
UNKNOWN |
| UNKNOWN |
TRUE |
TRUE |
| UNKNOWN |
FALSE |
UNKNOWN |
| UNKNOWN |
UNKNOWN |
UNKNOWN |
The negation of a conditional expression with a value of UNKNOWN is also UNKNOWN.
Conditional ACE Evaluation
The following table describes the access check result of a conditional ACE depending on the final evaluation of the conditional expression.
| ACE type | TRUE | FALSE | UNKNOWN |
|---|---|---|---|
| Allow |
Allow |
Ignore ACE |
Ignore ACE |
| Deny |
Deny |
Ignore ACE |
Deny |
Examples
The following examples show how the specified access policies are represented by a conditional ACE defined by using SDDL.
-
Policy
-
Allow Execute to Everyone if both of the following conditions are met:
- Title = PM
- Division = Finance or Division = Sales
-
SDDL
-
D:(XA; ;FX;;;S-1-1-0; (@User.Title=="PM" && (@User.Division=="Finance" || @User.Division ==" Sales")))
-
Policy
-
Allow execute if any of the user s projects intersect with the file s projects.
-
SDDL
-
D:(XA; ;FX;;;S-1-1-0; (@User.Project Any_of @Resource.Project))
-
Policy
-
Allow read access if the user has logged in with a smart card, is a backup operator, and is connecting from a machine with Bitlocker enabled.
-
SDDL
-
D:(XA; ;FR;;;S-1-1-0; (Member_of {SID(Smartcard_SID), SID(BO)} && @Device.Bitlocker))
Related topics
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for