2.5.1.1 Syntax
An SDDL string is a single sequence of characters. The format can be ANSI or Unicode; the actual protocol MUST specify the character set that is used. Regardless of the character set used, the characters that can be used are alphanumeric and punctuation.
The format for an SDDL string is described by the following ABNF (as specified in [RFC5234]) grammar, where the elements are as shown here.<80>
-
sddl = [owner-string] [group-string] [dacl-string] [sacl-string] owner-string = "O:" sid-string group-string = "G:" sid-string dacl-string = "D:" [acl-flag-string] [aces] sacl-string = "S:" [acl-flag-string] [aces] sid-string = sid-token / sid-value sid-value = SID ;defined in section 2.4.2.1 sid-token = "DA"/ "DG" / "DU" / "ED" / "DD" / "DC" / "BA" / "BG" / "BU" / "LA" / "LG" / "AO" / "BO" / "PO" / "SO" / "AU" / "PS" / "CO" / "CG" / "SY" / "PU" / "WD" / "RE" / "IU" / "NU" / "SU" / "RC" / "WR" / "AN" / "SA" / "CA" / "RS" / "EA" / "PA" / "RU" / "LS" / "NS" / "RD" / "NO" / "MU" / "LU" / "IS" / "CY" / "OW" / "ER" / "RO" / "CD" / "AC" / "RA" / "ES" / "MS" / "UD" / "HA" / "CN" / "AA" / "RM" / "LW" / "ME" /"MP" / "HI" / "SI" acl-flag-string = *acl-flag acl-flag = "P" / "AR" / "AI" aces = *(ace / conditional-ace / resource-attribute-ace) ace = "(" ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ")" ace-type = "A" / "D" / "OA" / "OD" / "AU" / "OU" / "ML" / "SP" conditional-ace = "(" conditional-ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ";" "(" cond-expr ")" ")" conditional-ace-type = "XA" / "XD" / "ZA" / "XU" central-policy-ace = "(" "SP" ";" [ace-flag-string] ";;;;" capid-value-sid ")" capid-value-sid = "S-1-17-" 1*SubAuthority ; SubAuthority defined in section 2.4.2.1 resource-attribute-ace = "(" "RA" ";" [ace-flag-string] ";;;;" ( "WD" / "S-1-1-0" ) ";(" attribute-data "))" attribute-data = DQUOTE 1*attr-char2 DQUOTE "," ( TI-attr / TU-attr / TS-attr / TD-attr / TX-attr / TB-attr ) TI-attr = "TI" "," attr-flags *("," int-64) TU-attr = "TU" "," attr-flags *("," uint-64) TS-attr = "TS" "," attr-flags *("," char-string) TD-attr = "TD" "," attr-flags *("," sid-string) TX-attr = "TX" "," attr-flags *("," octet-string) TB-attr = "TB" "," attr-flags *("," ( "0" / "1" ) ) attr-flags = "0x" ([*4HEXDIG "00"] sys-attr-flags / *"0" sys-attr-flags / *"0" HEXDIG) sys-attr-flags = ( "0"/ "1" / "2" / "3" ) HEXDIG ace-flag-string = ace-flag ace-flag-string / "" ace-flag = "CI" / "OI" / "NP" / "IO" / "ID" / "SA" / "FA" ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / (1*DIGIT ) ; numeric values must fit within 64 bits text-rights-string = generic-rights-string / standard-rights-string / object-specific-rights-string generic-rights-string = generic-right / generic-rights-string / "" generic-right = "GA" / "GW" / "GR" / "GX" standard-rights-string = standard-right / standard-rights-string / "" standard-right = "WO" / "WD" / "RC" / "SD" object-specific-rights-string = object-specific-right / object-specific-rights-string / "" object-specific-right = <any object-specific right, for objects like files, registry keys, directory objects, and others> guid = "" / 8HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 12HEXDIG ; The second option is the GUID of the object in the form ; "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" Where each "X" is a Hex digit object-guid = guid inherit-object-guid = guid wspace = 1*(%x09-0D / %x20) term = [wspace] (memberof-op / exists-op / rel-op / contains-op / anyof-op / attr-name / rel-op2) [wspace] ; multiple rules for cond-expr to represent different precedence of || and && ; super-term and factor are intermediate rules and used only in this part of the grammar cond-expr = expr expr = super-term [wspace] *( "||" [wspace] super-term ) super-term = factor [wspace] *( "&&" [wspace] factor ) factor = term factor /= "(" [wspace] expr [wspace] ")" factor /= "!" [wspace] factor ; memberof-op = ( "Member_of" / "Not_Member_of" / "Member_of_Any" / "Not_Member_of_Any" / "Device_Member_of" / "Device_Member_of_Any" / "Not_Device_Member_of" / "Not_Device_Member_of_Any" ) wspace sid-array exists-op = ( "Exists" / "Not_exists") wspace attr-name rel-op = attr-name [wspace] ("<" / "<=" / ">" / ">=") [wspace] (attr-name2 / value) ; only scalars rel-op2 = attr-name [wspace] ("==" / "!=") [wspace] ( attr-name2 / value-array ) ; scalar or list contains-op = attr-name wspace ("Contains" / "Not_Contains") wspace (attr-name2 / value-array) anyof-op = attr-name wspace ("Any_of" / "Not_Any_of") wspace (attr-name2 / value-array) attr-name1 = attr-char1 *(attr-char1 / "@") ; old simple name attr-char1 = 1*(ALPHA / DIGIT / ":" / "." / "/" / "_") attr-name2 = ("@user." / "@device." / "@resource.") 1*attr-char2 ; new prefixed name form attr-char2 = attr-char1 / lit-char attr-name = attr-name1 / attr-name2 ; either name form sid-array = "{" [wspace] literal-SID [wspace] *( "," [wspace] literal-SID [wspace]) "}" literal-SID = "SID(" sid-string ")" value-array = value [wspace] / "{" [wspace] value [wspace] *("," [wspace] value [wspace]) "}" value = int-64 / char-string / octet-string int-64 = ["+" / "-"] ("0x" 1*HEXDIG) / ("0" 1*%x30-37) / 1*DIGIT ; values must fit within 64 bits in two's complement form uint-64 = ("0x" 1*HEXDIG) / ("0" 1*%x30-37) / 1*DIGIT ; values must fit within 64 bits char-string = DQUOTE *(CHAR) DQUOTE octet-string = "#" *(2HEXDIG) lit-char = "#" / "$" / "'" / "*" / "+" / "-" / "." / "/" / ":" / ";" / "?" / "@" / "[" / "\" / "]" / "^" / "_" / "`" / "{" / "}" / "~" / %x0080-FFFF / ( "%" 4HEXDIG) ; 4HEXDIG can have any value except 0000 (NULL)
sid-token: An abbreviated form of a well-known SID, per the following table.
-
SDDL alias
Well-Known SID name
"DA"
DOMAIN_ADMINS
"DG"
DOMAIN_GUESTS
"DU"
DOMAIN_USERS
"ED"
ENTERPRISE_DOMAIN_CONTROLLERS
"DD"
DOMAIN_DOMAIN_CONTROLLERS
"DC"
DOMAIN_COMPUTERS
"BA"
BUILTIN_ADMINISTRATORS
"BG"
BUILTIN_GUESTS
"BU"
BUILTIN_USERS
"LA"
ADMINISTRATOR<81>
"LG"
GUEST
"AO"
ACCOUNT_OPERATORS
"BO"
BACKUP_OPERATORS
"PO"
PRINTER_OPERATORS
"SO"
SERVER_OPERATORS
"AU"
AUTHENTICATED_USERS
"PS"
PRINCIPAL_SELF
"CO"
CREATOR_OWNER
"CG"
CREATOR_GROUP
"SY"
LOCAL_SYSTEM
"PU"
POWER_USERS
"WD"
EVERYONE
"RE"
REPLICATOR
"IU"
INTERACTIVE
"NU"
NETWORK
"SU"
SERVICE
"RC"
RESTRICTED_CODE
"WR"
WRITE_RESTRICTED_CODE
"AN"
ANONYMOUS
"SA"
SCHEMA_ADMINISTRATORS
"CA"
CERT_PUBLISHERS
"RS"
RAS_SERVERS
"EA"
ENTERPRISE_ADMINS
"PA"
GROUP_POLICY_CREATOR_OWNER
"RU"
ALIAS_PREW2KCOMPACC
"LS"
LOCAL_SERVICE
"NS"
NETWORK_SERVICE
"RD"
REMOTE_DESKTOP
"NO"
NETWORK_CONFIGURATION_OPS
"MU"
PERFMON_USERS
"LU"
PERFLOG_USERS
"IS"
IIS_USERS
"CY"
CRYPTO_OPERATORS
"OW"
OWNER_RIGHTS
"ER"
EVENT_LOG_READERS
"RO"
ENTERPRISE_RO_DCS
"CD"
CERTSVC_DCOM_ACCESS
"AC"
ALL_APP_PACKAGES
"RA"
RDS_REMOTE_ACCESS_SERVERS
"ES"
RDS_ENDPOINT_SERVERS
"MS"
RDS_MANAGEMENT_SERVERS
"UD"
USER_MODE_DRIVERS
"HA"
HYPER_V_ADMINS
"CN"
CLONEABLE_CONTROLLERS
"AA"
ACCESS_CONTROL_ASSISTANCE_OPS
"RM"
REMOTE_MANAGEMENT_USERS
"LW"
ML_LOW
"ME"
ML_MEDIUM
"MP"
ML MEDIUM PLUS
"HI"
ML_HIGH
"SI"
ML_SYSTEM
acl-flag: Flags for the SECURITY_DESCRIPTOR structure, context dependent on whether a SACL or DACL is being processed. These flags are derived from the SECURITY_DESCRIPTOR Control flags specified in section 2.4.6. "P" indicates Protected PS or PD flags from that section, "AR" corresponds to SC or DC, and "AI" indicates SI or DI.
ace-type: String that indicates the type of ACE that is being presented.
-
String
ACE type
"A"
Access Allowed
"D"
Access Denied
"AU"
Audit
"OA"
Object Access Allowed
"OD"
Object Access Denied
"OU"
Object Audit
"ML"
Mandatory Label
"SP"
Central Policy ID
conditional-ace-type: String that indicates the type of SDDL-supported conditional ACE that is being presented.<82>
-
String
ACE type
Numeric value
"XA"
Access Allowed Callback
0x9
"XD"
Access Denied Callback
0xA
"XU"
Audit Callback
0xB
"ZA"
Object Access Allowed Callback
0xD
central-policy-ace: An ACE type that identifies a central policy to be applied to the resource. Also called a SYSTEM_SCOPED_POLICY_ID ACE (see section 2.4.4.16).<83>
capid-value-sid: A SID with an Authority value of 17 that refers to a CentralAccessPolicy within a CentralAccessPolicysList ([MS-GPCAP] section 3.2.1.1).<84>
resource-attribute-ace: An ACE type that defines a resource attribute (sometimes referred to as a resource property or resource claim.) See section 2.4.4.15.<85>
attribute-data: A string specifying the name of a resource attribute and data defining the type and value of the attribute. A resource attribute type can be identified with one of the following strings:<86>
-
String
Resource Attribute Type
"TI"
64-bit Integer
"TU"
Unsigned 64-bit integer
"TS"
String of Unicode characters
"TD"
A SID in string form
"TX"
A string of single byte (octet) values
"TB"
A string containing a Boolean value represented by a "1" (True) or a "0" (False.)
attr-flags: A 32-bit number containing flag values within a resource attribute. The bits 16-31 can contain custom values. Bits 0 through 15 are specified by sys-attr-flags.
sys-attr-flags: A two-byte integer that MAY be zero or any combination of the hexadecimal flag values of the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structure (section 2.4.10.1)
ace-flag-string: A set of ACE flags that define the behavior of the ACE. The strings correlate exactly to the flags as specified in section 2.4.4.1.
generic-rights-string: A set of generic user rights used to perform generic mappings to object-specific rights.
-
String
Access right
Hex value
"GR"
Generic Read
0x80000000
"GW"
Generic Write
0x40000000
"GX"
Generic Execute
0x20000000
"GA"
Generic All
0x10000000
standard-rights-string: A set of SDDL-supported standard user rights.
-
String
Access right
Hex value
"WO"
Write Owner
0x00080000
"WD"
Write DAC
0x00040000
"RC"
Read Control
0x00020000
"SD"
Delete
0x00010000
object-specific-rights-string: A set of object-specific rights; some common ones are shown, but the it is recommended that the reader consult a specific protocol for applicable values, if any, in that protocol.
-
String
Object type
Access right
Hex value
"FA"
File
File All Access
0x001F01FF
"FX"
File
File Execute
0x001200A0
"FW"
File
File Write
0x00120116
"FR"
File
File Read
0x00120089
"KA"
Registry Key
Key All Access
0x000F003F
"KR"
Registry Key
Key Read
0x00020019
"KX"
Registry Key
Key Execute
0x00020019
"KW"
Registry Key
Key Write
0x00020006
"CR"
Directory Object
Control Access
0x00000100
"LO"
Directory Object
List Object
0x00000080
"DT"
Directory Object
Delete Tree
0x00000040
"WP"
Directory Object
Write Property
0x00000020
"RP"
Directory Object
Read Property
0x00000010
"SW"
Directory Object
Self Write
0x00000008
"LC"
Directory Object
List Children
0x00000004
"DC"
Directory Object
Delete Child
0x00000002
"CC"
Directory Object
Create Child
0x00000001
term: A string specifying a stand-alone logical expression, which is the simplest form of conditional expression, or a part of a more complex conditional expression.
cond-expr: A conditional expression in textual form. Conditional expressions are specified in section 2.4.4.17.
memberof-op: A string identifying a Member_of type of operator as described in section 2.4.4.17.6. <87>
exists-op: A string identifying an exists type operator as described in section 2.4.4.17.7.
rel-op: A string specifying a binary relational operation containing an attribute name or reference, one of the following relational operators, "==" , "!=" , "<" , "<=" , ">" , ">=" (without quotes) identifying a relational operator as described in section 2.4.4.17.6, and an attribute name or literal value.
rel-op2: A string specifying a binary operator for certain operators that support set comparisons. The string contains an attribute name, a string specifying the operator, "==" or "!=", and a string specifying an array of values (value-array).<88>
contains-op: A string specifying a relational operator term using a Contains or Not_Contains operator.<89>
anyof-op: A string specifying a relational operator term using an Any_of or Not_Any_of operator.<90>
sid-array: A string representation of an array of string SIDs.
literal-SID: A string specifying a literal SID. A literal-SID MUST be prefixed by the string "SID" followed by a sid-value enclosed in parentheses.
attr-name1: A string representing a valid attribute name in simple form.<91> An attribute name in simple form MUST not begin with the "@" character and MUST be comprised only of characters defined by attr-char1. An example of an attribute in simple form is "Title" (without quotes.) See section 2.5.1.2.1.
attr-name2: A string representing a valid attribute name in @Prefixed form. An attribute name is in @Prefixed form when it is prefixed with the string "@User.", "@Device.", or "@Resource." and is comprised only of characters defined by attr-char2. An example of an attribute in @Prefixed form is "@User.Title" (without quotes.) See section 2.5.1.2.2.<92>
attr-char1: A character valid for use in an attribute name in simple form. Valid characters include any ALPHA or DIGIT (as specified in [RFC5234]) or any of the following: ":", ".", "/", "_".
attr-char2: A character valid for use in an attribute name in @Prefixed form. Valid characters include all ASCII and UNICODE characters of the range 0x0-0xFFFF. Characters MAY be encoded either as literals or be encoded with a five-character sequence %XXXX, where XXXX are hexadecimal digits that represent the corresponding 16-bit Unicode value of the character with the following exceptions:
The following characters: "!", "&", "(", ")", ">", "<", "=", "|", "%", SP (space) and DQUOTE (as specified in [RFC5234]) MUST be encoded in the preceding five-character sequence.
The following characters MUST be encoded as literals: "#", "$", "'", "*", "+", "-", ".", "/", ":", ";", "?", "@", "[", "\", "]", "^", "_", "`", "{", "}", "~" and any characters in the ASCII ranges 0x41-0x5A (A-Z), 0x61-0x7A (a-z) and 0x30-0x39 (0-9.)
value-array: A string specifying an array of values. A value-array can be a single value or a set of one or more comma-delineated values where the entire set of values is enclosed between the "{" and "}" symbols.