Export (0) Print
Expand All

Discretionary Access Control Lists XML Elements

Exchange Server 2003

Discretionary Access Control Lists XML Elements

This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.

In a discretionary access control list (DACL), the DACL XML element can contain the elements revision, effective_aces, subitem_inheritable_aces, and subcontainer_inheritable_aces. The following table lists the content models for these elements.

Element name Child elements or contents
dacl Attributes defaulted=boolean protected=boolean autoinherited=boolean revision? effective_aces? subitem_inheritable_aces? subcontainer_inheritable_aces?
revision String; revision for the DACL; for example, 2.
effective_aces access_allowed_ace* access_denied_ace* access_allowed_object_ace* access_denied_object_ace*
subcontainer_interitable_aces access_allowed_ace* access_denied_ace* access_allowed_object_ace* access_denied_object_ace*
subitem_interitable_aces access_allowed_ace* access_denied_ace* access_allowed_object_ace* access_denied_object_ace*
access_allowed_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 access_mask sid
access_denied_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 access_mask sid
access_allowed_object_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 (inherited_object_type=GUID)^1 access_mask sid object_type?
access_denied_object_ace Attributes: inherited =boolean (no_propagate_inherit=boolean)^1 (inherited_object_type=GUID)^1 access_mask sid (object_type | property_name)?
access_mask A hexadecimal number in string format; for example, "1fc9ff". This number is the 32-bit access mask for the access control entry (ACE). This mask identifies the access rights that the ACE grants or denies a trustee.
sid See Security Identifiers in XML.
object_type A globally unique identifier (GUID) in standard string format. The GUID identifies the property to which this ACE applies.
property_name The name of the property. For example, urn:schemas:mailheader:from.

^1 Denotes attributes present in inheritable ACEs. These entries are present in the subcontainer_inheritable_aces and subitem_inheritable_aces elements of the dacl element.

The following example presents an access control list (ACL) within a descriptor's DACL, in XML format:

<S:dacl S:defaulted="0" S:protected="0" S:autoinherited="1">
  <S:revision>2</S:revision>
  <S:effective_aces>
   <S:access_allowed_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-507921405-507921405-507921405-500</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\Administrator</S:nt4_compatible_name>
     <S:ad_object_guid>{446ca8b5-58b5-48b5-88b5-ae41ef9038b5}</S:ad_object_guid>
     <S:display_name>Administrator</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-7</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="1">
    <S:access_mask>120ea9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-1-0</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>\Everyone</S:nt4_compatible_name>
    </S:sid>
   </S:access_allowed_ace>
  </S:effective_aces>
 </S:dacl>
Show:
© 2014 Microsoft