Export (0) Print
Expand All

2.4.4.17.6 Relational Operator Tokens

Each relational operator examines one or more attribute values and evaluates to TRUE, FALSE or UNKNOWN, according to the defined behavior of the operator in the following table. In addition to the TRUE and FALSE values specified for each operator in the table, each relational operator MUST return "UNKNOWN" if the attribute tested does not exist in the security context.

For all operators other than the relational operators ==, Contains, and Any_of, and the logical operator Exists, when multivalued attributes are on the left- and/or right-hand side of an operator, the operation will fail and produce an UNKNOWN value.

If any processing rule returns an error, then the entire conditional expression evaluates to UNKNOWN, regardless of the rest of the expression.

Unary Relational Operators:

The operand type MUST be either a SID literal, or a composite, each of whose elements is a SID literal.

The operand for unary operators is the variable on the top of the evaluation stack as specified in the EvaluateAceCondition algorithm in section 2.5.3.1.5.

Token Type

Byte-Code

Processing

Member_of

0x89

SDDL Form: Member_of operand

Return TRUE if SIDs[] array (section 2.5.2) contains all of the SIDs in the operand; FALSE otherwise.

Device_Member_of<49>

0x8a

SDDL Form: Device_Member_of operand

Return TRUE if DeviceSIDs[] array (section 2.5.2) contains all of the SIDs in the operand; FALSE otherwise.

Member_of_Any<50>

0x8b

SDDL Form: Member_of_Any operand

Return TRUE if SIDs[] array (section 2.5.2) contains any of the SIDs in the operand; FALSE otherwise.

Device_Member_of_Any<51>

0x8c

SDDL Form: Device_Member_of_Any operand

Return TRUE if DeviceSIDs[] array (section 2.5.2) contains any of the SIDs in the operand; FALSE otherwise.

Not_Member_of<52>

0x90

SDDL Form: Not_Member_of operand

Logical inverse of Member_of.

Not_Device_Member_of<53>

0x91

SDDL Form: Not_Device_Member_of operand

Logical inverse of Device_Member_of.

Not_Member_of_Any<54>

0x92

SDDL Form: Not_Member_of_Any operand

Logical inverse of Not_Member_of_Any.

Not_Device_Member_of_Any<55>

0x93

SDDL Form: Not_Device_Member_of_Any operand

Logical inverse of Device_Member_of_Any.

Binary Relational Operators

Binary relational operators compare left-hand-side (LHS) and right-hand-side (RHS) operands. The LHS MUST contain an attribute name in simple or @Prefixed form.<56> The RHS MUST contain an attribute in @Prefixed form or literals representing values of the same value type as the attribute variable on the LHS. If the LHS and RHS operands are of different types, then the entire conditional expression evaluates to UNKNOWN. Note, however, that BOOLEAN values TRUE and FALSE can be compared to the literal integers "1" and "0", but only when using the == or != operators.

Relational operators that compare string and octet string values compare each string operand byte by byte, terminating when the compared bytes differ in value. If a string is a prefix of a string it is compared to, the longer string is considered greater. The comparison is case-insensitive, unless the CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE flag value is set in the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structure (section 2.4.10.1).<57>

If the type of an operand is "Result Value" then the operation returns an error.

If the type of an operand is "Local Attribute", "Resource Attribute", "Device Attribute" or "User Attribute" and the value is null then the logical value of the operand is UNKNOWN.

If the value of either operand is UNKNOWN then the operation returns UNKNOWN.

In the following processing rules, the LHS is the second variable on the stack and the RHS is the top of the stack as specified in the EvaluateAceCondition algorithm in section 2.5.3.1.5.

Token Type

Byte-Code

Processing

==

0x80

SDDL form: (LHS == RHS)

MUST evaluate to TRUE if the argument on the RHS evaluates to the exact value (single or set value) of the argument on the LHS; otherwise, FALSE.

!=

0x81

SDDL form: (LHS != RHS)

MUST evaluate to FALSE if the argument on the RHS evaluates to the exact value of the argument on LHS; otherwise, TRUE.

<

0x82

SDDL form: (LHS < RHS)

MUST evaluate to TRUE if the argument on the LHS is less than the argument on the RHS; otherwise, FALSE.

<=

0x83

SDDL form: (LHS <= RHS)

MUST evaluate to TRUE if the argument on the LHS is less than, or equal to, the argument on the RHS; otherwise, FALSE.

>

0x84

SDDL form: (LHS > RHS)

MUST evaluate to TRUE if the argument on the LHS is greater than the argument on the RHS; otherwise, FALSE.

>=

0x85

SDDL form: (LHS >= RHS)

MUST evaluate to TRUE if the argument on the LHS is greater than, or equal to, the argument on the RHS; otherwise, FALSE.

Contains

0x86

SDDL Form: LHS Contains RHS

LHS MUST be an attribute name in simple or @Prefixed form.

RHS MUST be a set of one or more literals, or an attribute name in @Prefixed form.

MUST evaluate to TRUE if the value(s) for the specified LHS includes value(s) identical to each of the value(s) specified by the RHS; otherwise, FALSE.<58>

Any_of

0x88

SDDL Form: LHS Any_of RHS

LHS MUST be an attribute name in simple or @Prefixed form. RHS MUST be a set of one or more literals, or an attribute name in @Prefixed form.

MUST evaluate to TRUE if the RHS value set includes one or more of the value(s) of the specified LHS; otherwise, FALSE. RHS can be either a set or a single value.<59>

Not_Contains<60>

0x8e

SDDL Form: LHS Not_Contains RHS

Logical inverse of Contains.

Not_Any_of<61>

0x8f

Form: LHS Not_Any_of RHS

Logical inverse of Any_of.

Show:
© 2016 Microsoft