The
security descriptor definition language (SDDL) uses ACE strings in the DACL and SACL components of a security descriptor string.
As shown in the
Security Descriptor String Format examples, each ACE in a security descriptor string is enclosed in parentheses. The fields of the ACE are in the following order and are separated by semicolons (;).
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
Fields
- ace_type
A string that indicates the value of the AceType member of the
ACE_HEADER structure. The ACE type string can be one of the following strings defined in Sddl.h.
| ACE type string |
Constant in Sddl.h |
AceType value |
| "A"
| SDDL_ACCESS_ALLOWED
| ACCESS_ALLOWED_ACE_TYPE
|
| "D"
| SDDL_ACCESS_DENIED
| ACCESS_DENIED_ACE_TYPE
|
| "OA"
| SDDL_OBJECT_ACCESS_ALLOWED
| ACCESS_ALLOWED_OBJECT_ACE_TYPE
|
| "OD"
| SDDL_OBJECT_ACCESS_DENIED
| ACCESS_DENIED_OBJECT_ACE_TYPE
|
| "AU"
| SDDL_AUDIT
| SYSTEM_AUDIT_ACE_TYPE
|
| "AL"
| SDDL_ALARM
| SYSTEM_ALARM_ACE_TYPE
|
| "OU"
| SDDL_OBJECT_AUDIT
| SYSTEM_AUDIT_OBJECT_ACE_TYPE
|
| "OL"
| SDDL_OBJECT_ALARM
| SYSTEM_ALARM_OBJECT_ACE_TYPE
|
Note If ace_type is ACCESS_ALLOWED_OBJECT_ACE_TYPE
and neither object_guid nor inherit_object_guid has a GUID specified, then ConvertStringSecurityDescriptorToSecurityDescriptor converts ace_type to ACCESS_ALLOWED_ACE_TYPE.
- ace_flags
A string that indicates the value of the AceFlags member of the
ACE_HEADER structure. The ACE flags string can be a concatenation of the following strings defined in Sddl.h.
| ACE flags string |
Constant in Sddl.h |
AceFlag value |
| "CI"
| SDDL_CONTAINER_INHERIT
| CONTAINER_INHERIT_ACE
|
| "OI"
| SDDL_OBJECT_INHERIT
| OBJECT_INHERIT_ACE
|
| "NP"
| SDDL_NO_PROPAGATE
| NO_PROPAGATE_INHERIT_ACE
|
| "IO"
| SDDL_INHERIT_ONLY
| INHERIT_ONLY_ACE
|
| "ID"
| SDDL_INHERITED
| INHERITED_ACE
|
| "SA"
| SDDL_AUDIT_SUCCESS
| SUCCESSFUL_ACCESS_ACE_FLAG
|
| "FA"
| SDDL_AUDIT_FAILURE
| FAILED_ACCESS_ACE_FLAG
|
- rights
A string that indicates the
access rights controlled by the ACE. This string can be a hexadecimal string representation of the access rights, such as "0x7800003F", or it can be a concatenation of the following strings.
| Access rights string |
Constant in Sddl.h |
Access right value |
| Generic access rights |
| "GA"
| SDDL_GENERIC_ALL
| GENERIC_ALL
|
| "GR"
| SDDL_GENERIC_READ
| GENERIC_READ
|
| "GW"
| SDDL_GENERIC_WRITE
| GENERIC_WRITE
|
| "GX"
| SDDL_GENERIC_EXECUTE
| GENERIC_EXECUTE
|
| Standard access rights |
| "RC"
| SDDL_READ_CONTROL
| READ_CONTROL
|
| "SD"
| SDDL_STANDARD_DELETE
| DELETE
|
| "WD"
| SDDL_WRITE_DAC
| WRITE_DAC
|
| "WO"
| SDDL_WRITE_OWNER
| WRITE_OWNER
|
| Directory service object access rights |
| "RP"
| SDDL_READ_PROPERTY
| ADS_RIGHT_DS_READ_PROP
|
| "WP"
| SDDL_WRITE_PROPERTY
| ADS_RIGHT_DS_WRITE_PROP
|
| "CC"
| SDDL_CREATE_CHILD
| ADS_RIGHT_DS_CREATE_CHILD
|
| "DC"
| SDDL_DELETE_CHILD
| ADS_RIGHT_DS_DELETE_CHILD
|
| "LC"
| SDDL_LIST_CHILDREN
| ADS_RIGHT_ACTRL_DS_LIST
|
| "SW"
| SDDL_SELF_WRITE
| ADS_RIGHT_DS_SELF
|
| "LO"
| SDDL_LIST_OBJECT
| ADS_RIGHT_DS_LIST_OBJECT
|
| "DT"
| SDDL_DELETE_TREE
| ADS_RIGHT_DS_DELETE_TREE
|
| "CR"
| SDDL_CONTROL_ACCESS
| ADS_RIGHT_DS_CONTROL_ACCESS
|
| File access rights |
| "FA"
| SDDL_FILE_ALL
| FILE_ALL_ACCESS
|
| "FR"
| SDDL_FILE_READ
| FILE_GENERIC_READ
|
| "FW"
| SDDL_FILE_WRITE
| FILE_GENERIC_WRITE
|
| "FX"
| SDDL_FILE_EXECUTE
| FILE_GENERIC_EXECUTE
|
| Registry key access rights |
| "KA"
| SDDL_KEY_ALL
| KEY_ALL_ACCESS
|
| "KR"
| SDDL_KEY_READ
| KEY_READ
|
| "KW"
| SDDL_KEY_WRITE
| KEY_WRITE
|
| "KX"
| SDDL_KEY_EXECUTE
| KEY_EXECUTE
|
- object_guid
A string representation of a GUID that indicates the value of the ObjectType member of an object-specific ACE structure, such as
ACCESS_ALLOWED_OBJECT_ACE. The GUID string uses the format returned by the
UuidToString function.
The following table lists some commonly used object GUIDs.
| Rights and GUID | Permission |
| CR;ab721a53-1e2f-11d0-9819-00aa0040529b
| Change password
|
| CR;00299570-246d-11d0-a768-00aa006e0529
| Reset password
|
- inherit_object_guid
A string representation of a GUID that indicates the value of the InheritedObjectType member of an object-specific ACE structure. The GUID string uses the UuidToString format.
- account_sid
SID string that identifies the
trustee of the ACE.
The following example shows an ACE string for an access-allowed ACE. It is not an object-specific ACE, so it has no information in the object_guid and inherit_object_guid fields. The ace_flags field is also empty, which indicates that none of the ACE flags are set.
(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)
The ACE string shown above describes the following ACE information.
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceFlags: 0x00
Access Mask: 0x100e003f
READ_CONTROL
WRITE_DAC
WRITE_OWNER
GENERIC_ALL
Other access rights(0x0000003f)
Ace Sid : (S-1-0-0) For more information, see Security Descriptor String Format and SID Strings.
Send comments about this topic to Microsoft
Build date: 7/31/2008