Export (0) Print
Expand All

2.4.4.17 Conditional ACEs

Conditional ACEs are a form of CALLBACK ACEs with a special format of the application data. A Conditional ACE allows a conditional expression to be evaluated when an access check (as specified in section 2.5.3.2) is performed.<42>

The following ACE types may be formatted as a Conditional ACE:

ACCESS_ALLOWED_CALLBACK_ACE

ACCESS_ALLOWED_CALLBACK_OBJECT_ACE

ACCESS_DENIED_CALLBACK_ACE

ACCESS_DENIED_CALLBACK_OBJECT_ACE

SYSTEM_AUDIT_CALLBACK_ACE

SYSTEM_AUDIT_CALLBACK_OBJECT_ACE

A Conditional ACE is a CALLBACK ACE in which the first four bytes of the ApplicationData field in the CALLBACK ACE structure are set to the following byte value sequence: 0x61 0x72 0x74 0x78. The remaining contents of the ApplicationData field specify a conditional expression. The conditional expression language constructs and binary representation are defined in this section.

The security descriptor definition language (SDDL) (section 2.5.1) provides syntax for defining conditional ACEs in a string format in section 2.5.1.1.

 
Show:
© 2014 Microsoft