Windows Access Control List (ACL) 7

 

 

 

 

 

The ACE Strings

 

The security descriptor definition language (SDDL) uses ACE strings in the DACL and SACL components of a security descriptor string as shown in the following Security Descriptor String Format examples:

 

"O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"

 

Each ACE in a security descriptor string is enclosed in parentheses.  The fields of the ACE are in the following order and are separated by semicolons (;).

 

(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)

 

The format is:

 

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

 

The ACE String Description

 

ace_type - A string that indicates the value of the AceType member of the ACE_HEADER structure. The ACE type string can be one of the following strings defined in sddl.h.

 

ACE type string

Constant in Sddl.h

AceType value

"A"

SDDL_ACCESS_ALLOWED

ACCESS_ALLOWED_ACE_TYPE

"D"

SDDL_ACCESS_DENIED

ACCESS_DENIED_ACE_TYPE

"OA"

SDDL_OBJECT_ACCESS_ALLOWED

ACCESS_ALLOWED_OBJECT_ACE_TYPE

"OD"

SDDL_OBJECT_ACCESS_DENIED

ACCESS_DENIED_OBJECT_ACE_TYPE

"AU"

SDDL_AUDIT

SYSTEM_AUDIT_ACE_TYPE

"AL"

SDDL_ALARM

SYSTEM_ALARM_ACE_TYPE

"OU"

SDDL_OBJECT_AUDIT

SYSTEM_AUDIT_OBJECT_ACE_TYPE

"OL"

SDDL_OBJECT_ALARM

SYSTEM_ALARM_OBJECT_ACE_TYPE

 

Table 1

 

If ace_type is ACCESS_ALLOWED_OBJECT_ACE_TYPE and neither object_guid nor inherit_object_guid has a GUID specified, then ConvertStringSecurityDescriptorToSecurityDescriptor() converts ace_type to ACCESS_ALLOWED_ACE_TYPE.

ace_flags - A string that indicates the value of the AceFlags member of the ACE_HEADER structure.  The ACE flags string can be a concatenation of the following strings that defined in sddl.h.

 

ACE flags string

Constant in Sddl.h

AceFlag value

"CI"

SDDL_CONTAINER_INHERIT

CONTAINER_INHERIT_ACE

"OI"

SDDL_OBJECT_INHERIT

OBJECT_INHERIT_ACE

"NP"

SDDL_NO_PROPAGATE

NO_PROPAGATE_INHERIT_ACE

"IO"

SDDL_INHERIT_ONLY

INHERIT_ONLY_ACE

"ID"

SDDL_INHERITED

INHERITED_ACE

"SA"

SDDL_AUDIT_SUCCESS

SUCCESSFUL_ACCESS_ACE_FLAG

"FA"

SDDL_AUDIT_FAILURE

FAILED_ACCESS_ACE_FLAG

 

Table 2

 

rights - A string that indicates the access rights controlled by the ACE.  This string can be a hexadecimal string representation of the access rights, such as "0x7800003F", or it can be a concatenation of the following strings.

 

Access rights string

Constant in Sddl.h

Access right value

Generic access rights

"GA"

SDDL_GENERIC_ALL

GENERIC_ALL

"GR"

SDDL_GENERIC_READ

GENERIC_READ

"GW"

SDDL_GENERIC_WRITE

GENERIC_WRITE

"GX"

SDDL_GENERIC_EXECUTE

GENERIC_EXECUTE

Standard access rights

"RC"

SDDL_READ_CONTROL

READ_CONTROL

"SD"

SDDL_STANDARD_DELETE

DELETE

"WD"

SDDL_WRITE_DAC

WRITE_DAC

"WO"

SDDL_WRITE_OWNER

WRITE_OWNER

Directory service object access rights

"RP"

SDDL_READ_PROPERTY

ADS_RIGHT_DS_READ_PROP

"WP"

SDDL_WRITE_PROPERTY

ADS_RIGHT_DS_WRITE_PROP

"CC"

SDDL_CREATE_CHILD

ADS_RIGHT_DS_CREATE_CHILD

"DC"

SDDL_DELETE_CHILD

ADS_RIGHT_DS_DELETE_CHILD

"LC"

SDDL_LIST_CHILDREN

ADS_RIGHT_DS_LIST

"SW"

SDDL_SELF_WRITE

ADS_RIGHT_DS_SELF

"LO"

SDDL_LIST_OBJECT

ADS_RIGHT_DS_LIST_OBJECT

"DT"

SDDL_DELETE_TREE

ADS_RIGHT_DS_DELETE_TREE

"CR"

SDDL_CONTROL_ACCESS

ADS_RIGHT_DS_CONTROL_ACCESS

File access rights

"FA"

SDDL_FILE_ALL

FILE_ALL_ACCESS

"FR"

SDDL_FILE_READ

FILE_GENERIC_READ

"FW"

SDDL_FILE_WRITE

FILE_GENERIC_WRITE

"FX"

SDDL_FILE_EXECUTE

FILE_GENERIC_EXECUTE

Registry key access rights

"KA"

SDDL_KEY_ALL

KEY_ALL_ACCESS

"KR"

SDDL_KEY_READ

KEY_READ

"KW"

SDDL_KEY_WRITE

KEY_WRITE

"KX"

SDDL_KEY_EXECUTE

KEY_EXECUTE

 

Table 3

 

object_guid - A string representation of a GUID that indicates the value of the ObjectType member of an object-specific ACE structure, such as ACCESS_ALLOWED_OBJECT_ACE.  The GUID string uses the format returned by the UuidToString() function.  The following table lists some commonly used object GUIDs.

 

Rights and GUID

Permission

CR;ab721a53-1e2f-11d0-9819-00aa0040529b

Change password.

CR;00299570-246d-11d0-a768-00aa006e0529

Reset password.

 

Table 4

 

inherit_object_guid - A string representation of a GUID that indicates the value of the InheritedObjectType member of an object-specific ACE structure.  The GUID string uses the UuidToString() format.

account_sid - SID string that identifies the trustee of the ACE.

 

The following example shows an ACE string for an access-allowed ACE.  It is not an object-specific ACE, so it has no information in the object_guid and inherit_object_guid fields.  The ace_flags field is also empty, which indicates that none of the ACE flags are set.

 

(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)

 

The ACE string shown above describes the following ACE information:

 

AceType:                    0x00 (ACCESS_ALLOWED_ACE_TYPE)

AceFlags:                   0x00

Access Mask:             0x100e003f

                                                READ_CONTROL

                                                WRITE_DAC

                                                WRITE_OWNER

                                                GENERIC_ALL

                                                Other access rights(0x0000003f)

Ace Sid:                      (S-1-0-0)

 

 

 

 

< Windows ACL 6 | Windows Access Control List (ACL) Main | Win32 Programming | Windows ACL 8 >