The ACE Strings
The security descriptor definition language (SDDL) uses ACE strings in the DACL and SACL components of a security descriptor string as shown in the following Security Descriptor String Format examples:
O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)
Each ACE in a security descriptor string is enclosed in parentheses. The fields of the ACE are in the following order and are separated by semicolons (;).
(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)
The format is:
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
The ACE String Description
ace_type - A string that indicates the value of the AceType member of the ACE_HEADER structure. The ACE type string can be one of the following strings defined in sddl.h.
ACE type string |
Constant in Sddl.h |
AceType value |
A |
SDDL_ACCESS_ALLOWED |
ACCESS_ALLOWED_ACE_TYPE |
D |
SDDL_ACCESS_DENIED |
ACCESS_DENIED_ACE_TYPE |
OA |
SDDL_OBJECT_ACCESS_ALLOWED |
ACCESS_ALLOWED_OBJECT_ACE_TYPE |
OD |
SDDL_OBJECT_ACCESS_DENIED |
ACCESS_DENIED_OBJECT_ACE_TYPE |
AU |
SDDL_AUDIT |
SYSTEM_AUDIT_ACE_TYPE |
AL |
SDDL_ALARM |
SYSTEM_ALARM_ACE_TYPE |
OU |
SDDL_OBJECT_AUDIT |
SYSTEM_AUDIT_OBJECT_ACE_TYPE |
OL |
SDDL_OBJECT_ALARM |
SYSTEM_ALARM_OBJECT_ACE_TYPE |
Table 1 |
If ace_type is ACCESS_ALLOWED_OBJECT_ACE_TYPE and neither object_guid nor inherit_object_guid has a GUID specified, then ConvertStringSecurityDescriptorToSecurityDescriptor() converts ace_type to ACCESS_ALLOWED_ACE_TYPE.
ace_flags - A string that indicates the value of the AceFlags member of the ACE_HEADER structure. The ACE flags string can be a concatenation of the following strings that defined in sddl.h.
ACE flags string |
Constant in Sddl.h |
AceFlag value |
CI |
SDDL_CONTAINER_INHERIT |
CONTAINER_INHERIT_ACE |
OI |
SDDL_OBJECT_INHERIT |
OBJECT_INHERIT_ACE |
NP |
SDDL_NO_PROPAGATE |
NO_PROPAGATE_INHERIT_ACE |
IO |
SDDL_INHERIT_ONLY |
INHERIT_ONLY_ACE |
ID |
SDDL_INHERITED |
INHERITED_ACE |
SA |
SDDL_AUDIT_SUCCESS |
SUCCESSFUL_ACCESS_ACE_FLAG |
FA |
SDDL_AUDIT_FAILURE |
FAILED_ACCESS_ACE_FLAG |
Table 2 |
rights - A string that indicates the access rights controlled by the ACE. This string can be a hexadecimal string representation of the access rights, such as 0x7800003F, or it can be a concatenation of the following strings.
Access rights string |
Constant in Sddl.h |
Access right value |
Generic access rights |
||
GA |
SDDL_GENERIC_ALL |
GENERIC_ALL |
GR |
SDDL_GENERIC_READ |
GENERIC_READ |
GW |
SDDL_GENERIC_WRITE |
GENERIC_WRITE |
GX |
SDDL_GENERIC_EXECUTE |
GENERIC_EXECUTE |
Standard access rights |
||
RC |
SDDL_READ_CONTROL |
READ_CONTROL |
SD |
SDDL_STANDARD_DELETE |
DELETE |
WD |
SDDL_WRITE_DAC |
WRITE_DAC |
WO |
SDDL_WRITE_OWNER |
WRITE_OWNER |
Directory service object access rights |
||
RP |
SDDL_READ_PROPERTY |
ADS_RIGHT_DS_READ_PROP |
WP |
SDDL_WRITE_PROPERTY |
ADS_RIGHT_DS_WRITE_PROP |
CC |
SDDL_CREATE_CHILD |
ADS_RIGHT_DS_CREATE_CHILD |
DC |
SDDL_DELETE_CHILD |
ADS_RIGHT_DS_DELETE_CHILD |
LC |
SDDL_LIST_CHILDREN |
ADS_RIGHT_DS_LIST |
SW |
SDDL_SELF_WRITE |
ADS_RIGHT_DS_SELF |
LO |
SDDL_LIST_OBJECT |
ADS_RIGHT_DS_LIST_OBJECT |
DT |
SDDL_DELETE_TREE |
ADS_RIGHT_DS_DELETE_TREE |
CR |
SDDL_CONTROL_ACCESS |
ADS_RIGHT_DS_CONTROL_ACCESS |
File access rights |
||
FA |
SDDL_FILE_ALL |
FILE_ALL_ACCESS |
FR |
SDDL_FILE_READ |
FILE_GENERIC_READ |
FW |
SDDL_FILE_WRITE |
FILE_GENERIC_WRITE |
FX |
SDDL_FILE_EXECUTE |
FILE_GENERIC_EXECUTE |
Registry key access rights |
||
KA |
SDDL_KEY_ALL |
KEY_ALL_ACCESS |
KR |
SDDL_KEY_READ |
KEY_READ |
KW |
SDDL_KEY_WRITE |
KEY_WRITE |
KX |
SDDL_KEY_EXECUTE |
KEY_EXECUTE |
Table 3 |
object_guid - A string representation of a GUID that indicates the value of the ObjectType member of an object-specific ACE structure, such as ACCESS_ALLOWED_OBJECT_ACE. The GUID string uses the format returned by the UuidToString() function. The following table lists some commonly used object GUIDs.
Rights and GUID |
Permission |
CR;ab721a53-1e2f-11d0-9819-00aa0040529b |
Change password. |
CR;00299570-246d-11d0-a768-00aa006e0529 |
Reset password. |
Table 4 |
inherit_object_guid - A string representation of a GUID that indicates the value of the InheritedObjectType member of an object-specific ACE structure. The GUID string uses the UuidToString() format.
account_sid - SID string that identifies the trustee of the ACE.
The following example shows an ACE string for an access-allowed ACE. It is not an object-specific ACE, so it has no information in the object_guid and inherit_object_guid fields. The ace_flags field is also empty, which indicates that none of the ACE flags are set.
(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)
The ACE string shown above describes the following ACE information:
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceFlags: 0x00
Access Mask: 0x100e003f
READ_CONTROL
WRITE_DAC
WRITE_OWNER
GENERIC_ALL
Other access rights(0x0000003f)
Ace Sid: (S-1-0-0)