2.4.4.17.9 Examples: Conditional Expression Binary Representation

  • Article

msdn link

Example 1: Attributes in Simple Form

For the following conditional expression:

 (Title=="VP")

The ApplicationData member of the CALLBACK ACEs structure will have the following physical packing (numbers are in hexadecimal):

Components of the Application Data member for the conditional expression (Title=="VP")

Figure 3: Components of the Application Data member for the conditional expression (Title=="VP")

The following hexadecimal byte dump shows the contents of the ApplicationData in contiguous memory for the preceding conditional expression (with three added bytes for padding).

  61  72  74  78 f8 0a  00  00    artx....
  00  54  00  69 00 74  00  6c    .T.i.t.l
  00  65  00  10 04 00  00  00    .e......
  56  00  50  00 80 00  00  00    V.P.....
 

Example 2: @Prefixed Attribute Names and Multiple Terms

For the following conditional expression illustrates @Prefixed attribute names and use of multiple terms as expressed in SDDL:

 (@User.smartcard==1 || @Device.managed==1) && (@Resource.dept Any_of{"Sales","HR"})

SDDL strings encoded into an ApplicationData field MUST be ordered to maintain SDDL precedence rules as specified in section 2.5.1.3. The preceding conditional expression expressions can be reordered in postfix notation as follows:

@User.smartcard

1

==

@Device.managed

1

==

||

@Resource.dept

{Sales,HR}

Any_of

&&

The following figure shows the mapping from the above postfix expression to the layout in memory:

Postfix to memory mapping for "(@User.smartcard == 1 || @Device.managed == 1) && (@Resource.dept Any_of {"Sales","HR"})"

Figure 4: Postfix to memory mapping for "(@User.smartcard == 1 || @Device.managed == 1) && (@Resource.dept Any_of {"Sales","HR"})"

Example 3: RHS Attribute Variables and SID-based Operators

The following conditional expression illustrates @Prefixed attribute names with an attribute variable on the RHS of the operator and the use of a SID-based operator (Member_Of) as expressed in SDDL:

 (@User.clearanceLevel>=@Resource.requiredClearance) || (Member_of{SID(BA)})

SDDL strings encoded into an ApplicationData field MUST be ordered to maintain SDDL precedence rules as specified in section 2.5.1.3. The preceding conditional expression can be reordered in postfix notation as follows:

@User.clearanceLevel

@Resource.requiredClearance

>=

{SID(BA)}

Member_of

||

The following figure shows the mapping from the preceding postfix expression to the layout in memory.

Postfix to memory mapping for (@User.clearanceLevel >= @Resource.requiredClearance) || (Member_of {SID(BA)})

Figure 5: Postfix to memory mapping for (@User.clearanceLevel >= @Resource.requiredClearance) || (Member_of {SID(BA)})