Discretionary Access Control Lists XML Elements
Exchange Server 2003
In a discretionary access control list (DACL), the DACL XML element can contain the elements revision, effective_aces, subitem_inheritable_aces, and subcontainer_inheritable_aces. The following table lists the content models for these elements.
| Element name | Child elements or contents |
|---|---|
| dacl Attributes defaulted=boolean protected=boolean autoinherited=boolean | revision? effective_aces? subitem_inheritable_aces? subcontainer_inheritable_aces? |
| revision | String; revision for the DACL; for example, 2. |
| effective_aces | access_allowed_ace* access_denied_ace* access_allowed_object_ace* access_denied_object_ace* |
| subcontainer_interitable_aces | access_allowed_ace* access_denied_ace* access_allowed_object_ace* access_denied_object_ace* |
| subitem_interitable_aces | access_allowed_ace* access_denied_ace* access_allowed_object_ace* access_denied_object_ace* |
| access_allowed_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 | access_mask sid |
| access_denied_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 | access_mask sid |
| access_allowed_object_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 (inherited_object_type=GUID)^1 | access_mask sid object_type? |
| access_denied_object_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 (inherited_object_type=GUID)^1 | access_mask sid (object_type | property_name)? |
| access_mask | A hexadecimal number in string format; for example, "1fc9ff". This number is the 32-bit access mask for the access control entry (ACE). This mask identifies the access rights that the ACE grants or denies a trustee. |
| sid | See Security Identifiers in XML. |
| object_type | A globally unique identifier (GUID) in standard string format. The GUID identifies the property to which this ACE applies. |
| property_name | The name of the property. For example, urn:schemas:mailheader:from. |
^1 Denotes attributes present in inheritable ACEs. These entries are present in the subcontainer_inheritable_aces and subitem_inheritable_aces elements of the dacl element.
The following example presents an access control list (ACL) within a descriptor's DACL, in XML format:
<S:dacl S:defaulted="0" S:protected="0" S:autoinherited="1">
<S:revision>2</S:revision>
<S:effective_aces>
<S:access_allowed_ace S:inherited="1">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-507921405-507921405-507921405-500</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\Administrator</S:nt4_compatible_name>
<S:ad_object_guid>{446ca8b5-58b5-48b5-88b5-ae41ef9038b5}</S:ad_object_guid>
<S:display_name>Administrator</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="1">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-7</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="1">
<S:access_mask>120ea9</S:access_mask>
<S:sid>
<S:string_sid>S-1-1-0</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>\Everyone</S:nt4_compatible_name>
</S:sid>
</S:access_allowed_ace>
</S:effective_aces>
</S:dacl>
