jspωiki
Security Descriptor Description Language

Overview#

Security Descriptor Description Language (SDDL) string is a single sequence of characters.

The format can be ANSI or Unicode; the actual protocol MUST specify the character set that is used. Regardless of the character set used, the characters that can be used are alphanumeric and punctuation.

The format for an SDDL string is described by the following ABNF (as specified in RFC 5234) grammar, where the elements are:

sddl = [owner-string] [group-string] [dacl-string] [sacl-string] owner-string = "O:" sid-string
group-string = "G:" sid-string
dacl-string = "D:" [acl-flag-string] [aces]
sacl-string = "S:" [acl-flag-string] [aces]
sid-string = sid-token / sid-value
sid-value = SID;defined in section 2.4.2.1
sid-token = "DA"/ "DG" / "DU" / "ED" / "DD" / "DC" / "BA" / "BG" / "BU" /
"LA" / "LG" / "AO" / "BO" / "PO" / "SO" / "AU" / "PS" "PU" / "WD" / "RE" / "IU" / "NU" / "SU" / "RC" / "WR" "RS" / "EA" / "PA" / "RU" / "LS" / "NS" / "RD" / "NO" "CY" / "OW" / "ER" / "RO" / "CD" / "AC" / "RA" / "ES" "CN"/"AA"/"RM"/"LW"/"ME"/"MP"/ "HI"/"SI"
acl-flag-string = *acl-flag
acl-flag = "P" / "AR" / "AI"
/ "CO" /
/ "AN" /
/ "MU" /
/ "MS" /
"CG" / "SY" /
"SA" / "CA" /
"LU" / "IS" /
"UD" / "HA" /
aces = *(ace / conditional-ace / resource-attribute-ace)
ace = "(" ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ")"
ace-type = "A" / "D" / "OA" / "OD" / "AU" / "OU" / "ML" / "SP"
conditional-ace = "(" conditional-ace-type ";" [ace-flag-string] ";" ace-rights
";" [object-guid] ";" [inherit-object-guid] ";" sid-string ";" "(" cond-expr ")" ")"
conditional-ace-type = "XA" / "XD" / "ZA" / "XU"
central-policy-ace = "(" "SP" ";" [ace-flag-string] ";;;;" capid-value-sid")"
capid-value-sid = "S-1-17-" 1*SubAuthority ; SubAuthority defined in section 2.4.2.1
resource-attribute-ace = "(" "RA" ";" [ace-flag-string] ";;;;" ( "WD" /
  "S-1-1-0" ) ";(" attribute-data "))"
attribute-data = DQUOTE 1*attr-char2 DQUOTE "," ( TI-attr / TU-attr / TS-attr / TD-attr / TX-attr / TB-attr )
*("," int-64)
*("," uint-64)
*("," char-string)
*("," sid-string)
*("," octet-string)
*("," ( "0" / "1" ) )
"00"] sys-attr-flags / *"0" sys-attr-flags /
    TI-attr = "TI" "," attr-flags
    TU-attr = "TU" "," attr-flags
    TS-attr = "TS" "," attr-flags
    TD-attr = "TD" "," attr-flags
    TX-attr = "TX" "," attr-flags
    TB-attr = "TB" "," attr-flags
    attr-flags = "0x" ([*4HEXDIG
    *"0" HEXDIG)
sys-attr-flags = ( "0"/ "1" /
ace-flag-string = ace-flag ace-flag-string / "" ace-flag = "CI" / "OI" / "NP" / "IO" / "ID" / "SA" / "FA"
ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / (1*DIGIT )
      ; numeric values must fit within 64 bits
text-rights-string = generic-rights-string / standard-rights-string / object-specific-rights-string
generic-rights-string = generic-right / generic-rights-string / ""
    generic-right = "GA" / "GW" / "GR" / "GX"
standard-rights-string = standard-right / standard-rights-string / ""
standard-right = "WO" / "WD" / "RC" / "SD"
object-specific-rights-string = object-specific-right / object-specific- rights-string / ""
object-specific-right = <any object-specific right, for objects like files, registry keys, directory objects, and others>
guid = "" / 8HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 12HEXDIG
; The second option is the GUID of the object in the form
; "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" Where each "X" is a Hex digit
    object-guid = guid
    inherit-object-guid = guid
    wspace = 1*(%x09-0D / %x20)
term = [wspace] (memberof-op / exists-op / rel-op / contains-op / anyof-op / attr-name / rel-op2) [wspace]
cond-expr = term / term [wspace] ("||" / "&&" ) [wspace] cond-expr / (["!"] [wspace] "(" cond-expr ")")
memberof-op = ( "Member_of" / "Not_Member_of" / "Member_of_Any" / "Not_Member_of_Any" / "Device_Member_of" / "Device_Member_of_Any" / "Not_Device_Member_of" / "Not_Device_Member_of_Any" ) wspace sid-array
exists-op = ( "Exists" / "Not_exists") wspace attr-name
rel-op = attr-name [wspace] ("<" / "<=" / ">" / ">=") [wspace] (attr-name2 / value) ; only scalars
rel-op2 = attr-name [wspace] ("==" / "!=") [wspace] ( attr-name2 / value-array ) ; scalar or list
contains-op = attr-name wspace ("Contains" / "Not_Contains") wspace (attr-name2 / value- array)
anyof-op = attr-name wspace ("Any_of" / "Not_Any_of") wspace (attr-name2 / value-array)
attr-name1 = attr-char1 *(attr-char1 / "@") ; old simple name
attr-char1 = 1*(ALPHA / DIGIT / ":" / "." / "/" / "_")
attr-name2 = ("@user." / "@device." / "@resource.") 1*attr-char2 ; new prefixed name form
attr-char2 = attr-char1 / lit-char
attr-name = attr-name1 / attr-name2
  ; either name form
sid-array = literal-SID [wspace] / "{" [wspace] literal-SID [wspace] *( "," [wspace] literal- SID [wspace]) "}"
literal-SID = "SID(" sid-string ")"
value-array = value [wspace] / "{" [wspace]
value = int-64 / char-string / octet-string
int-64 = ["+" / "-"] ("0x" 1*HEXDIG) / ("0" ; values must fit within 64 bits in two's
uint-64 = ("0x" 1*HEXDIG) / ("0" 1*%x30-37) ; values must fit within 64 bits
char-string = DQUOTE *(CHAR) DQUOTE octet-string = "#" *(2HEXDIG)
value [wspace] *("," [wspace] value [wspace]) "}"
1*%x30-37) / 1*DIGIT
complement form
/ 1*DIGIT
lit-char = "#" / "$" / "'" / "*" / "+" / "-" / "." / "/" / ":" / ";" / "?" / "@" / "[" / "\" / "]" / "^" / "_" / "`" / "{" / "}" / "~" / %x0080-FFFF /
( "%" 4HEXDIG)
; 4HEXDIG can have any value except 0000 (NULL)

More Information#

There might be more information for this subject on one of the following: