Export (0) Print
Expand All

Security Descriptor Definition Language for Conditional ACEs

A conditional access control entry (ACE) allows an access condition to be evaluated when an access check is performed. The security descriptor definition language (SDDL) provides syntax for defining conditional ACEs in a string format.

The SDDL for a conditional ACE is the same as for any ACE, with the syntax for the conditional statement appended to the end of the ACE string. For information about SDDL, see Security Descriptor Definition Language.

The "#" sign is synonymous with "0" in resource attributes. For example, D:AI(XA;OICI;FA;;;WD;(OctetStringType==#1#2#3##)) is equivalent to and interpreted as D:AI(XA;OICI;FA;;;WD;(OctetStringType==#01020300)).

Conditional ACE String Format

Each ACE in a security descriptor string is enclosed in parentheses. The fields of the ACE are in the following order and are separated by semicolons (;).

AceType;AceFlags;Rights;ObjectGuid;InheritObjectGuid;AccountSid;(ConditionalExpression)

The fields are as described in ACE Strings, with the following exceptions.

  • The AceType field can be one of the following strings.
    ACE type string Constant in Sddl.h AceType value

    "XA"

    SDDL_CALLBACK_ACCESS_ALLOWED

    ACCESS_ALLOWED_CALLBACK_ACE_TYPE

    "XD"

    SDDL_CALLBACK_ACCESS_DENIED

    ACCESS_DENIED_CALLBACK_ACE_TYPE

     

  • The ACE string includes one or more conditional expressions, enclosed in parentheses at the end of the string.

Conditional Expressions

A conditional expression can include any of the following elements.

Expression element Description

AttributeName

Tests whether the specified attribute has a nonzero value.

exists AttributeName

Tests whether the specified attribute exists in the client context.

AttributeName Operator Value

Returns the result of the specified operation.

ConditionalExpression||ConditionalExpression

Tests whether either of the specified conditional expressions is true.

ConditionalExpression && ConditionalExpression

Tests whether both of the specified conditional expressions are true.

!(ConditionalExpression)

The inverse of a conditional expression.

Member_of{SidArray}

Tests whether the SID_AND_ATTRIBUTES array of the client context contains all of the Security Identifiers (SIDs) in the comma-separated list specified by SidArray.

For Allow ACEs, a client context SID must have the SE_GROUP_ENABLED attribute set to be considered a match.

For Deny ACEs, a client context SID must have either the SE_GROUP_ENABLED or the SE_GROUP_USE_FOR_DENY_ONLY attribute set to be considered a match.

The SidArray array can contain either SID strings (for example, "S-1-5-6") or SID aliases (for example, "BA"

 

Attributes

An attribute represents an element in the AUTHZ_SECURITY_ATTRIBUTES_INFORMATION array in the client context. An attribute name can contain any alphanumeric characters and any of the characters ":", "/", ".", and "_".

An attribute value can be any of the following types.

Value typeDescription

Integer

A 64-bit integer in either decimal or hexadecimal notation.

String

A string value delimited by quotes.

SID

SID(S-1-1-0) or SID(BA). Has to be on RHS of Member_of or Device_Member_of.

BLOB

# followed by hexadecimal numbers. If length of the numbers is odd, then the # is translated to a 0 to make it even. Also an # appearing elsewhere in the value is translated to a 0.

 

Operators

The following operators are defined for use in conditional expressions to test the values of attributes. All of these are binary operators and used in the form AttributeName Operator Value.

OperatorDescription

==

Conventional definition.

!=

Conventional definition.

<

Conventional definition.

<=

Conventional definition.

>

Conventional definition.

>=

Conventional definition.

Contains

TRUE if the value of the specified attribute is a superset of the specified value; otherwise, FALSE.

Any_of

TRUE if the specified value is a superset of the value of the specified attribute; otherwise, FALSE.

 

In addition, the unary operators Exists, Member_of, and negation (!) are defined as described in the Conditional Expressions table.

The "Contains" operator must be preceded and followed by white space, and the "Any_of" operator must be preceded by white space.

Operator Precedence

The operators are evaluated in the following order of precedence, with operations of equal precedence being evaluated from left to right.

  1. Exists, Member_of
  2. Contains, Any_of
  3. ==, !=, <, <=, >, >=
  4. !
  5. &&
  6. ||

In addition, any portion of a conditional expression can be enclosed in parenthesis. Expressions within parentheses are evaluated first.

Unknown Values

The results of conditional expressions sometimes return a value of Unknown. For example, any of the relational operations return Unknown when the specified attribute does not exist.

The following table describes the results for a logical AND operation between two conditional expressions, ConditionalExpression1 and ConditionalExpression2.

ConditionalExpression1ConditionalExpression2ConditionalExpression1 && ConditionalExpression2

TRUE

TRUE

TRUE

TRUE

FALSE

FALSE

TRUE

UNKNOWN

UNKNOWN

FALSE

TRUE

FALSE

FALSE

FALSE

FALSE

FALSE

UNKNOWN

FALSE

UNKNOWN

TRUE

UNKNOWN

UNKNOWN

FALSE

FALSE

UNKNOWN

UNKNOWN

UNKNOWN

 

The following table describes the results for a logical OR operation between two conditional expressions, ConditionalExpression1 and ConditionalExpression2.

ConditionalExpression1ConditionalExpression2ConditionalExpression1 || ConditionalExpression2

TRUE

TRUE

TRUE

TRUE

FALSE

TRUE

TRUE

UNKNOWN

TRUE

FALSE

TRUE

TRUE

FALSE

FALSE

FALSE

FALSE

UNKNOWN

UNKNOWN

UNKNOWN

TRUE

TRUE

UNKNOWN

FALSE

UNKNOWN

UNKNOWN

UNKNOWN

UNKNOWN

 

The negation of a conditional expression with a value of UNKNOWN is also UNKNOWN.

Conditional ACE Evaluation

The following table describes the access check result of a conditional ACE depending on the final evaluation of the conditional expression.

ACE typeTRUEFALSEUNKNOWN

Allow

Allow

Ignore ACE

Ignore ACE

Deny

Deny

Ignore ACE

Deny

 

Examples

The following examples show how the specified access policies are represented by a conditional ACE defined by using SDDL.

Policy

Allow Execute to Everyone if both of the following conditions are met:

  • Title = PM
  • Division = Finance or Division = Sales
SDDL

D:(XA; ;FX;;;S-1-1-0; (@User.Title=="PM" && (@User.Division=="Finance" || @User.Division ==" Sales")))

Policy

Allow execute if any of the user’s projects intersect with the file’s projects.

SDDL

D:(XA; ;FX;;;S-1-1-0; (@User.Project Any_of @Resource.Project))

Policy

Allow read access if the user has logged in with a smart card, is a backup operator, and is connecting from a machine with Bitlocker enabled.

SDDL

D:(XA; ;FR;;;S-1-1-0; (Member_of {SID(Smartcard_SID), SID(BO)} && @Device.Bitlocker))

Related topics

[MS-DTYP]: Security Descriptor Description Language

 

 

Community Additions

ADD
Show:
© 2014 Microsoft