Partager via


2.5.1.1 Syntax

An SDDL string is a single sequence of characters. The format can be ANSI or Unicode; the actual protocol MUST specify the character set that is used. Regardless of the character set used, the characters that can be used are alphanumeric and punctuation.

The format for an SDDL string is described by the following ABNF (as specified in [RFC5234]) grammar, where the elements are as shown here.<80>

 sddl = [owner-string]  [group-string]  [dacl-string]  [sacl-string]
 owner-string = "O:"  sid-string
 group-string = "G:"  sid-string
 dacl-string = "D:"  [acl-flag-string]  [aces]
 sacl-string = "S:"  [acl-flag-string]  [aces]
 sid-string = sid-token / sid-value
 sid-value = SID
    ;defined in section 2.4.2.1   
 sid-token = "DA"/ "DG" / "DU" / "ED" / "DD" / "DC" / "BA" / "BG" / "BU" / "LA" / "LG" / "AO" / "BO" / "PO" / "SO" / "AU" / "PS" / "CO" / "CG" / "SY" / "PU" / "WD" / "RE" / "IU" / "NU" / "SU" / "RC" / "WR" / "AN" / "SA" / "CA" / "RS" / "EA" / "PA" / "RU" / "LS" / "NS" / "RD" / "NO" / "MU" / "LU" / "IS" / "CY" / "OW" / "ER" / "RO" / "CD" / "AC" / "RA" / "ES" / "MS" / "UD" / "HA" / "CN" / "AA" / "RM" / "LW" / "ME" /"MP" /  "HI" / "SI"
 acl-flag-string = *acl-flag
 acl-flag = "P" / "AR" / "AI"
 aces = *(ace / conditional-ace / resource-attribute-ace)
 ace = "(" ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ")"
 ace-type = "A" / "D" / "OA" / "OD" / "AU" / "OU" / "ML" / "SP"
 conditional-ace = "(" conditional-ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ";" "(" cond-expr ")" ")"
 conditional-ace-type = "XA" / "XD" / "ZA" / "XU"
 central-policy-ace = "(" "SP" ";" [ace-flag-string] ";;;;" capid-value-sid ")"
 capid-value-sid = "S-1-17-" 1*SubAuthority 
   ; SubAuthority defined in section 2.4.2.1   
 resource-attribute-ace = "(" "RA" ";" [ace-flag-string] ";;;;" ( "WD" / "S-1-1-0" ) ";(" attribute-data "))"
 attribute-data = DQUOTE 1*attr-char2 DQUOTE "," ( TI-attr / TU-attr / TS-attr / TD-attr / TX-attr / TB-attr )
 TI-attr = "TI" "," attr-flags *("," int-64)
 TU-attr = "TU" "," attr-flags *("," uint-64)
 TS-attr = "TS" "," attr-flags *("," char-string)
 TD-attr = "TD" "," attr-flags *("," sid-string)
 TX-attr = "TX" "," attr-flags *("," octet-string)
 TB-attr = "TB" "," attr-flags *("," ( "0" / "1" ) )
 attr-flags = "0x" ([*4HEXDIG  "00"] sys-attr-flags / *"0" sys-attr-flags / *"0" HEXDIG)
 sys-attr-flags = ( "0"/ "1" / "2" / "3" ) HEXDIG
 ace-flag-string = ace-flag  ace-flag-string / ""
 ace-flag = "CI" / "OI" / "NP" / "IO" / "ID" / "SA" / "FA"
 ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / (1*DIGIT )
   ; numeric values must fit within 64 bits
 text-rights-string = generic-rights-string / standard-rights-string / object-specific-rights-string
 generic-rights-string = generic-right / generic-rights-string / ""
 generic-right = "GA" / "GW" / "GR" / "GX"
 standard-rights-string = standard-right / standard-rights-string / ""
 standard-right = "WO" / "WD" / "RC" / "SD"
 object-specific-rights-string = object-specific-right / object-specific-rights-string / ""
 object-specific-right = <any object-specific right, for objects like files, registry keys, directory objects, and others>
 guid = "" / 8HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 12HEXDIG
 ; The second option is the GUID of the object in the form 
 ; "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" Where each "X" is a Hex digit
 object-guid = guid
 inherit-object-guid = guid
 wspace = 1*(%x09-0D / %x20)
 term = [wspace] (memberof-op / exists-op / rel-op / contains-op / anyof-op / attr-name / rel-op2) [wspace]
 ; multiple rules for cond-expr to represent different precedence of || and &&
 ; super-term and factor are intermediate rules and used only in this part of the grammar
 cond-expr = expr
 expr = super-term [wspace] *( "||" [wspace] super-term )
 super-term = factor [wspace] *( "&&" [wspace] factor )
 factor = term
 factor /= "(" [wspace] expr [wspace] ")"
 factor /= "!" [wspace] factor
 ;
 memberof-op = ( "Member_of" / "Not_Member_of" / "Member_of_Any" / "Not_Member_of_Any" / "Device_Member_of" / "Device_Member_of_Any" / "Not_Device_Member_of" / "Not_Device_Member_of_Any" ) wspace sid-array
 exists-op = ( "Exists" / "Not_exists") wspace attr-name
 rel-op = attr-name [wspace] ("<" / "<=" / ">" / ">=") [wspace] (attr-name2 / value) 
   ; only scalars
 rel-op2 = attr-name [wspace] ("==" / "!=") [wspace] ( attr-name2 / value-array )
   ; scalar or list
 contains-op = attr-name wspace ("Contains" / "Not_Contains") wspace (attr-name2 / value-array)
 anyof-op = attr-name wspace ("Any_of" / "Not_Any_of") wspace (attr-name2 / value-array)
 attr-name1 = attr-char1 *(attr-char1 / "@")  
   ; old simple name
 attr-char1 = 1*(ALPHA / DIGIT / ":" / "." / "/" / "_")
 attr-name2 = ("@user." / "@device." / "@resource.") 1*attr-char2 
   ; new prefixed name form
 attr-char2 = attr-char1 / lit-char
 attr-name = attr-name1 / attr-name2   
   ; either name form
 sid-array = "{" [wspace] literal-SID [wspace] *( "," [wspace] literal-SID [wspace]) "}"
 literal-SID = "SID(" sid-string ")"
 value-array = value [wspace] / "{" [wspace] value [wspace] *("," [wspace] value [wspace]) "}"
 value = int-64 / char-string / octet-string
 int-64 = ["+" / "-"] ("0x" 1*HEXDIG) / ("0" 1*%x30-37) / 1*DIGIT
   ; values must fit within 64 bits in two's complement form
 uint-64 = ("0x" 1*HEXDIG) / ("0" 1*%x30-37) / 1*DIGIT  
   ; values must fit within 64 bits
 char-string = DQUOTE *(CHAR) DQUOTE
 octet-string = "#" *(2HEXDIG)
 lit-char = "#" / "$" / "'" / "*" / "+" / "-" / "." / "/" / ":" / ";" / "?" / "@" / "[" / "\" / "]" / "^" / "_" / "`" / "{" / "}" / "~" / %x0080-FFFF / ( "%" 4HEXDIG)
   ; 4HEXDIG can have any value except 0000 (NULL)

sid-token: An abbreviated form of a well-known SID, per the following table.

SDDL alias

Well-Known SID name

"DA"

DOMAIN_ADMINS

"DG"

DOMAIN_GUESTS

"DU"

DOMAIN_USERS

"ED"

ENTERPRISE_DOMAIN_CONTROLLERS

"DD"

DOMAIN_DOMAIN_CONTROLLERS

"DC"

DOMAIN_COMPUTERS

"BA"

BUILTIN_ADMINISTRATORS

"BG"

BUILTIN_GUESTS

"BU"

BUILTIN_USERS

"LA"

ADMINISTRATOR<81>

"LG"

GUEST

"AO"

ACCOUNT_OPERATORS

"BO"

BACKUP_OPERATORS

"PO"

PRINTER_OPERATORS

"SO"

SERVER_OPERATORS

"AU"

AUTHENTICATED_USERS

"PS"

PRINCIPAL_SELF

"CO"

CREATOR_OWNER

"CG"

CREATOR_GROUP

"SY"

LOCAL_SYSTEM

"PU"

POWER_USERS

"WD"

EVERYONE

"RE"

REPLICATOR

"IU"

INTERACTIVE

"NU"

NETWORK

"SU"

SERVICE

"RC"

RESTRICTED_CODE

"WR"

WRITE_RESTRICTED_CODE

"AN"

ANONYMOUS

"SA"

SCHEMA_ADMINISTRATORS

"CA"

CERT_PUBLISHERS

"RS"

RAS_SERVERS

"EA"

ENTERPRISE_ADMINS

"PA"

GROUP_POLICY_CREATOR_OWNER

"RU"

ALIAS_PREW2KCOMPACC

"LS"

LOCAL_SERVICE

"NS"

NETWORK_SERVICE

"RD"

REMOTE_DESKTOP

"NO"

NETWORK_CONFIGURATION_OPS

"MU"

PERFMON_USERS

"LU"

PERFLOG_USERS

"IS"

IIS_USERS

"CY"

CRYPTO_OPERATORS

"OW"

OWNER_RIGHTS

"ER"

EVENT_LOG_READERS

"RO"

ENTERPRISE_RO_DCS

"CD"

CERTSVC_DCOM_ACCESS

"AC"

ALL_APP_PACKAGES

"RA"

RDS_REMOTE_ACCESS_SERVERS

"ES"

RDS_ENDPOINT_SERVERS

"MS"

RDS_MANAGEMENT_SERVERS

"UD"

USER_MODE_DRIVERS

"HA"

HYPER_V_ADMINS

"CN"

CLONEABLE_CONTROLLERS

"AA"

ACCESS_CONTROL_ASSISTANCE_OPS

"RM"

REMOTE_MANAGEMENT_USERS

"LW"

ML_LOW

"ME"

ML_MEDIUM

"MP"

ML MEDIUM PLUS

"HI"

ML_HIGH

"SI"

ML_SYSTEM

acl-flag: Flags for the SECURITY_DESCRIPTOR structure, context dependent on whether a SACL or DACL is being processed. These flags are derived from the SECURITY_DESCRIPTOR Control flags specified in section 2.4.6. "P" indicates Protected PS or PD flags from that section, "AR" corresponds to SC or DC, and "AI" indicates SI or DI.

ace-type: String that indicates the type of ACE that is being presented.

String

ACE type

"A"

Access Allowed

"D"

Access Denied

"AU"

Audit

"OA"

Object Access Allowed

"OD"

Object Access Denied

"OU"

Object Audit

"ML"

Mandatory Label

"SP"

Central Policy ID

conditional-ace-type: String that indicates the type of SDDL-supported conditional ACE that is being presented.<82>

String

ACE type

 Numeric value

"XA"

Access Allowed Callback

0x9

"XD"

Access Denied Callback

0xA

"XU"

Audit Callback

0xB

"ZA"

Object Access Allowed Callback

0xD

central-policy-ace: An ACE type that identifies a central policy to be applied to the resource. Also called a SYSTEM_SCOPED_POLICY_ID ACE (see section 2.4.4.16).<83>

capid-value-sid: A SID with an Authority value of 17 that refers to a CentralAccessPolicy within a CentralAccessPolicysList ([MS-GPCAP] section 3.2.1.1).<84>

resource-attribute-ace: An ACE type that defines a resource attribute (sometimes referred to as a resource property or resource claim.) See section 2.4.4.15.<85>

attribute-data: A string specifying the name of a resource attribute and data defining the type and value of the attribute. A resource attribute type can be identified with one of the following strings:<86>

String

Resource Attribute Type

"TI"

64-bit Integer

"TU"

Unsigned 64-bit integer

"TS"

String of Unicode characters

"TD"

A SID in string form

"TX"

A string of single byte (octet) values

"TB"

A string containing a Boolean value represented by a "1" (True) or a "0" (False.)

attr-flags: A 32-bit number containing flag values within a resource attribute. The bits 16-31 can contain custom values. Bits 0 through 15 are specified by sys-attr-flags.

sys-attr-flags: A two-byte integer that MAY be zero or any combination of the hexadecimal flag values of the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structure (section 2.4.10.1)

ace-flag-string: A set of ACE flags that define the behavior of the ACE. The strings correlate exactly to the flags as specified in section 2.4.4.1.

generic-rights-string: A set of generic user rights used to perform generic mappings to object-specific rights.

String

Access right

Hex value

"GR"

Generic Read

0x80000000

"GW"

Generic Write

0x40000000

"GX"

Generic Execute

0x20000000

"GA"

Generic All

0x10000000

standard-rights-string: A set of SDDL-supported standard user rights.

String

Access right

Hex value

"WO"

Write Owner

0x00080000

"WD"

Write DAC

0x00040000

"RC"

Read Control

0x00020000

"SD"

Delete

0x00010000

object-specific-rights-string: A set of object-specific rights; some common ones are shown, but the it is recommended that the reader consult a specific protocol for applicable values, if any, in that protocol.

String

Object type

Access right

Hex value

"FA"

File

File All Access

0x001F01FF

"FX"

File

File Execute

0x001200A0

"FW"

File

File Write

0x00120116

"FR"

File

File Read

0x00120089

"KA"

Registry Key

Key All Access

0x000F003F

"KR"

Registry Key

Key Read

0x00020019

"KX"

Registry Key

Key Execute

0x00020019

"KW"

Registry Key

Key Write

0x00020006

"CR"

Directory Object

Control Access

0x00000100

"LO"

Directory Object

List Object

0x00000080

"DT"

Directory Object

Delete Tree

0x00000040

"WP"

Directory Object

Write Property

0x00000020

"RP"

Directory Object

Read Property

0x00000010

"SW"

Directory Object

Self Write

0x00000008

"LC"

Directory Object

List Children

0x00000004

"DC"

Directory Object

Delete Child

0x00000002

"CC"

Directory Object

Create Child

0x00000001

term: A string specifying a stand-alone logical expression, which is the simplest form of conditional expression, or a part of a more complex conditional expression.

cond-expr: A conditional expression in textual form. Conditional expressions are specified in section 2.4.4.17.

memberof-op: A string identifying a Member_of type of operator as described in section 2.4.4.17.6. <87>

exists-op: A string identifying an exists type operator as described in section 2.4.4.17.7.

rel-op: A string specifying a binary relational operation containing an attribute name or reference, one of the following relational operators, "==" , "!=" , "<" , "<=" , ">" , ">=" (without quotes) identifying a relational operator as described in section 2.4.4.17.6, and an attribute name or literal value.

rel-op2: A string specifying a binary operator for certain operators that support set comparisons. The string contains an attribute name, a string specifying the operator, "==" or "!=", and a string specifying an array of values (value-array).<88>

contains-op: A string specifying a relational operator term using a Contains or Not_Contains operator.<89>

anyof-op: A string specifying a relational operator term using an Any_of or Not_Any_of operator.<90>

sid-array: A string representation of an array of string SIDs.

literal-SID: A string specifying a literal SID. A literal-SID MUST be prefixed by the string "SID" followed by a sid-value enclosed in parentheses.

attr-name1: A string representing a valid attribute name in simple form.<91> An attribute name in simple form MUST not begin with the "@" character and MUST be comprised only of characters defined by attr-char1. An example of an attribute in simple form is "Title" (without quotes.) See section 2.5.1.2.1.

attr-name2: A string representing a valid attribute name in @Prefixed form. An attribute name is in @Prefixed form when it is prefixed with the string "@User.", "@Device.", or "@Resource." and is comprised only of characters defined by attr-char2. An example of an attribute in @Prefixed form is "@User.Title" (without quotes.) See section 2.5.1.2.2.<92>

attr-char1: A character valid for use in an attribute name in simple form. Valid characters include any ALPHA or DIGIT (as specified in [RFC5234]) or any of the following: ":", ".", "/", "_".

attr-char2: A character valid for use in an attribute name in @Prefixed form. Valid characters include all ASCII and UNICODE characters of the range 0x0-0xFFFF. Characters MAY be encoded either as literals or be encoded with a five-character sequence %XXXX, where XXXX are hexadecimal digits that represent the corresponding 16-bit Unicode value of the character with the following exceptions:

  1. The following characters: "!", "&", "(", ")", ">", "<", "=", "|", "%", SP (space) and DQUOTE (as specified in [RFC5234]) MUST be encoded in the preceding five-character sequence.

  2. The following characters MUST be encoded as literals: "#", "$", "'", "*", "+", "-", ".", "/", ":", ";", "?", "@", "[", "\", "]", "^", "_", "`", "{", "}", "~" and any characters in the ASCII ranges 0x41-0x5A (A-Z), 0x61-0x7A (a-z) and 0x30-0x39 (0-9.)

value-array: A string specifying an array of values. A value-array can be a single value or a set of one or more comma-delineated values where the entire set of values is enclosed between the "{" and "}" symbols.