Platform SDK: Access Control

ACE Strings

The security descriptor definition language (SDDL) uses ACE strings in the DACL and SACL components of a security descriptor string.

As shown in the Security Descriptor String Format examples, each ACE in a security descriptor string is enclosed in parentheses. The fields of the ACE are in the following order and are separated by semicolons ( ; ).

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

Fields

ace_type
A string that indicates the value of the AceType member of the ACE_HEADER structure. The ACE type string can be one of the following strings defined in sddl.h.
ACE type string

Constant in sddl.h

AceType value
"A" SDDL_ACCESS_ALLOWED ACCESS_ALLOWED_ACE_TYPE
"D" SDDL_ACCESS_DENIED ACCESS_DENIED_ACE_TYPE
"OA" SDDL_OBJECT_ACCESS_ALLOWED ACCESS_ALLOWED_OBJECT_ACE_TYPE
"OD" SDDL_OBJECT_ACCESS_DENIED ACCESS_DENIED_OBJECT_ACE_TYPE
"AU" SDDL_AUDIT SYSTEM_AUDIT_ACE_TYPE
"AL" SDDL_ALARM SYSTEM_ALARM_ACE_TYPE
"OU" SDDL_OBJECT_AUDIT SYSTEM_AUDIT_OBJECT_ACE_TYPE
"OL" SDDL_OBJECT_ALARM SYSTEM_ALARM_OBJECT_ACE_TYPE

ace_flags
A string that indicates the value of the AceFlags member of the ACE_HEADER structure. The ACE flags string can be a concatenation of the following strings defined in sddl.h.
ACE flags string

Constant in sddl.h

AceFlag value
"CI" SDDL_CONTAINER_INHERIT CONTAINER_INHERIT_ACE
"OI" SDDL_OBJECT_INHERIT OBJECT_INHERIT_ACE
"NP" SDDL_OBJECT_ACCESS_ALLOWED NO_PROPAGATE_INHERIT_ACE
"IO" SDDL_INHERIT_ONLY INHERIT_ONLY_ACE
"ID" SDDL_INHERITED INHERITED_ACE
"SA" SDDL_AUDIT_SUCCESS SUCCESSFUL_ACCESS_ACE_FLAG
"FA" SDDL_AUDIT_FAILURE FAILED_ACCESS_ACE_FLAG

rights
A string that indicates the access rights controlled by the ACE. This string can be a hexadecimal string representation of the access rights, such as "0x7800003F", or it can be a concatenation of the following strings.
Access rights string

Constant in sddl.h

Access right value
Generic access rights
"GA" SDDL_GENERIC_ALL GENERIC_ALL
"GR" SDDL_GENERIC_READ GENERIC_READ
"GW" SDDL_GENERIC_WRITE GENERIC_WRITE
"GX" SDDL_GENERIC_EXECUTE GENERIC_EXECUTE
Standard access rights
"RC" SDDL_READ_CONTROL READ_CONTROL
"SD" SDDL_STANDARD_DELETE DELETE
"WD" SDDL_WRITE_DAC WRITE_DAC
"WO" SDDL_WRITE_OWNER WRITE_OWNER
Directory service object access rights
"RP" SDDL_READ_PROPERTY ADS_RIGHT_DS_READ_PROP
"WP" SDDL_WRITE_PROPERTY ADS_RIGHT_DS_WRITE_PROP
"CC" SDDL_CREATE_CHILD ADS_RIGHT_DS_CREATE_CHILD
"DC" SDDL_DELETE_CHILD ADS_RIGHT_DS_DELETE_CHILD
"LC" SDDL_LIST_CHILDREN ADS_RIGHT_DS_LIST
"SW" SDDL_SELF_WRITE ADS_RIGHT_DS_SELF
"LO" SDDL_LIST_OBJECT ADS_RIGHT_DS_LIST_OBJECT
"DT" SDDL_DELETE_TREE ADS_RIGHT_DS_DELETE_TREE
"CR" SDDL_CONTROL_ACCESS ADS_RIGHT_DS_CONTROL_ACCESS
File access rights
"FA" SDDL_FILE_ALL FILE_ALL_ACCESS
"FR" SDDL_FILE_READ FILE_GENERIC_READ
"FW" SDDL_FILE_WRITE FILE_GENERIC_WRITE
"FX" SDDL_FILE_EXECUTE FILE_GENERIC_EXECUTE
Registry key access rights
"KA" SDDL_KEYL_ALL KEY_ALL_ACCESS
"KR" SDDL_KEY_READ KEY_READ
"KW" SDDL_KEY_WRITE KEY_WRITE
"KX" SDDL_KEY_EXECUTE KEY_EXECUTE

object_guid
A string representation of a GUID that indicates the value of the ObjectType member of an object-specific ACE structure, such as ACCESS_ALLOWED_OBJECT_ACE. The GUID string uses the format returned by the UuidToString function.
inherit_object_guid
A string representation of a GUID that indicates the value of the InheritedObjectType member of an object-specific ACE structure. The GUID string uses the UuidToString format.
account_sid
A SID string that identifies the trustee of the ACE.

Example

The following example shows an ACE string for an access-allowed ACE. It is not an object-specific ACE, so it has no information in the object_guid and inherit_object_guid fields. The ace_flags field is also empty, indicating that none of the ACE flags are set. 

(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)

This string describes the following ACE information.

AceType:       0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceFlags:      0x00
Access Mask:   0x100e003f
                    READ_CONTROL
                    WRITE_DAC
                    WRITE_OWNER
                    GENERIC_ALL
                    Other access rights(0x0000003f)
Ace Sid      : (S-1-0-0)

See Also

Security Descriptor String Format, SID Strings

Built on Tuesday, February 08, 2000