2.4.4.17.2 Security Attributes
Conditional expression terms contain references to security attributes (also known as claims) of an authenticated principal or a resource. Security attributes that are associated with authenticated user principal and device principal entities are referred to as "user claims" and "device claims", respectively, and are defined as an instance of a CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structure associated with a token/authorization context. User claims are associated with the UserClaims[] array, and device claims are associated with the DeviceClaims[] array as described in section 2.5.2. An attribute associated with a resource is referred to as a "resource attribute" and is defined as a CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 (section 2.4.10.1) structure within a SYSTEM_RESOURCE_ATTRIBUTE_ACE contained in the Security Descriptor SACL associated with a resource.