Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Discretionary Access Control Lists XML Elements

Exchange Server 2003

In a discretionary access control list (DACL), the DACL XML element can contain the elements revision, effective_aces, subitem_inheritable_aces, and subcontainer_inheritable_aces. The following table lists the content models for these elements.

Element name Child elements or contents
dacl Attributes defaulted=boolean protected=boolean autoinherited=boolean revision? effective_aces? subitem_inheritable_aces? subcontainer_inheritable_aces?
revision String; revision for the DACL; for example, 2.
effective_aces access_allowed_ace* access_denied_ace* access_allowed_object_ace* access_denied_object_ace*
subcontainer_interitable_aces access_allowed_ace* access_denied_ace* access_allowed_object_ace* access_denied_object_ace*
subitem_interitable_aces access_allowed_ace* access_denied_ace* access_allowed_object_ace* access_denied_object_ace*
access_allowed_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 access_mask sid
access_denied_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 access_mask sid
access_allowed_object_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 (inherited_object_type=GUID)^1 access_mask sid object_type?
access_denied_object_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 (inherited_object_type=GUID)^1 access_mask sid (object_type | property_name)?
access_mask A hexadecimal number in string format; for example, "1fc9ff". This number is the 32-bit access mask for the access control entry (ACE). This mask identifies the access rights that the ACE grants or denies a trustee.
sid See Security Identifiers in XML.
object_type A globally unique identifier (GUID) in standard string format. The GUID identifies the property to which this ACE applies.
property_name The name of the property. For example, urn:schemas:mailheader:from.

^1 Denotes attributes present in inheritable ACEs. These entries are present in the subcontainer_inheritable_aces and subitem_inheritable_aces elements of the dacl element.

The following example presents an access control list (ACL) within a descriptor's DACL, in XML format:


<S:dacl S:defaulted="0" S:protected="0" S:autoinherited="1">
  <S:revision>2</S:revision>
  <S:effective_aces>
   <S:access_allowed_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-507921405-507921405-507921405-500</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\Administrator</S:nt4_compatible_name>
     <S:ad_object_guid>{446ca8b5-58b5-48b5-88b5-ae41ef9038b5}</S:ad_object_guid>
     <S:display_name>Administrator</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-7</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="1">
    <S:access_mask>120ea9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-1-0</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>\Everyone</S:nt4_compatible_name>
    </S:sid>
   </S:access_allowed_ace>
  </S:effective_aces>
 </S:dacl>

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.