Overview#
Security Descriptor Description Language (SDDL) string defines the string format that is used to describe a Security Descriptor single sequence of characters.The format can be ANSI or Unicode; the actual protocol MUST specify the character set that is used. Regardless of the character set used, the characters that can be used are alphanumeric and punctuation.
The format for an SDDL string is described by the following ABNF (as specified in RFC 5234) grammar, where the elements are:
sddl = [owner-string] [group-string] [dacl-string] [sacl-string] owner-string = "O:" sid-string group-string = "G:" sid-string dacl-string = "D:" [acl-flag-string] [aces] sacl-string = "S:" [acl-flag-string] [aces] sid-string = sid-token / sid-value sid-value = SID;defined in section 2.4.2.1 sid-token = "DA"/ "DG" / "DU" / "ED" / "DD" / "DC" / "BA" / "BG" / "BU" / "LA" / "LG" / "AO" / "BO" / "PO" / "SO" / "AU" / "PS" "PU" / "WD" / "RE" / "IU" / "NU" / "SU" / "RC" / "WR" "RS" / "EA" / "PA" / "RU" / "LS" / "NS" / "RD" / "NO" "CY" / "OW" / "ER" / "RO" / "CD" / "AC" / "RA" / "ES" "CN"/"AA"/"RM"/"LW"/"ME"/"MP"/ "HI"/"SI" acl-flag-string = *acl-flag acl-flag = "P" / "AR" / "AI" / "CO" / / "AN" / / "MU" / / "MS" / "CG" / "SY" / "SA" / "CA" / "LU" / "IS" / "UD" / "HA" / aces = *(ace / conditional-ace / resource-attribute-ace) ace = "(" ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ")" ace-type = "A" / "D" / "OA" / "OD" / "AU" / "OU" / "ML" / "SP" conditional-ace = "(" conditional-ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ";" "(" cond-expr ")" ")" conditional-ace-type = "XA" / "XD" / "ZA" / "XU" central-policy-ace = "(" "SP" ";" [ace-flag-string] ";;;;" capid-value-sid")" capid-value-sid = "S-1-17-" 1*SubAuthority ; SubAuthority defined in section 2.4.2.1 resource-attribute-ace = "(" "RA" ";" [ace-flag-string] ";;;;" ( "WD" / "S-1-1-0" ) ";(" attribute-data "))" attribute-data = DQUOTE 1*attr-char2 DQUOTE "," ( TI-attr / TU-attr / TS-attr / TD-attr / TX-attr / TB-attr ) *("," int-64) *("," uint-64) *("," char-string) *("," sid-string) *("," octet-string) *("," ( "0" / "1" ) ) "00"] sys-attr-flags / *"0" sys-attr-flags / TI-attr = "TI" "," attr-flags TU-attr = "TU" "," attr-flags TS-attr = "TS" "," attr-flags TD-attr = "TD" "," attr-flags TX-attr = "TX" "," attr-flags TB-attr = "TB" "," attr-flags attr-flags = "0x" ([*4HEXDIG *"0" HEXDIG) sys-attr-flags = ( "0"/ "1" / ace-flag-string = ace-flag ace-flag-string / "" ace-flag = "CI" / "OI" / "NP" / "IO" / "ID" / "SA" / "FA" ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / (1*DIGIT ) ; numeric values must fit within 64 bits text-rights-string = generic-rights-string / standard-rights-string / object-specific-rights-string generic-rights-string = generic-right / generic-rights-string / "" generic-right = "GA" / "GW" / "GR" / "GX" standard-rights-string = standard-right / standard-rights-string / "" standard-right = "WO" / "WD" / "RC" / "SD" object-specific-rights-string = object-specific-right / object-specific- rights-string / "" object-specific-right = <any object-specific right, for objects like files, registry keys, directory objects, and others> guid = "" / 8HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 12HEXDIG ; The second option is the GUID of the object in the form ; "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" Where each "X" is a Hex digit object-guid = guid inherit-object-guid = guid wspace = 1*(%x09-0D / %x20) term = [wspace] (memberof-op / exists-op / rel-op / contains-op / anyof-op / attr-name / rel-op2) [wspace] cond-expr = term / term [wspace] ("||" / "&&" ) [wspace] cond-expr / (["!"] [wspace] "(" cond-expr ")") memberof-op = ( "Member_of" / "Not_Member_of" / "Member_of_Any" / "Not_Member_of_Any" / "Device_Member_of" / "Device_Member_of_Any" / "Not_Device_Member_of" / "Not_Device_Member_of_Any" ) wspace sid-array exists-op = ( "Exists" / "Not_exists") wspace attr-name rel-op = attr-name [wspace] ("<" / "<=" / ">" / ">=") [wspace] (attr-name2 / value) ; only scalars rel-op2 = attr-name [wspace] ("==" / "!=") [wspace] ( attr-name2 / value-array ) ; scalar or list contains-op = attr-name wspace ("Contains" / "Not_Contains") wspace (attr-name2 / value- array) anyof-op = attr-name wspace ("Any_of" / "Not_Any_of") wspace (attr-name2 / value-array) attr-name1 = attr-char1 *(attr-char1 / "@") ; old simple name attr-char1 = 1*(ALPHA / DIGIT / ":" / "." / "/" / "_") attr-name2 = ("@user." / "@device." / "@resource.") 1*attr-char2 ; new prefixed name form attr-char2 = attr-char1 / lit-char attr-name = attr-name1 / attr-name2 ; either name form sid-array = literal-SID [wspace] / "{" [wspace] literal-SID [wspace] *( "," [wspace] literal- SID [wspace]) "}" literal-SID = "SID(" sid-string ")" value-array = value [wspace] / "{" [wspace] value = int-64 / char-string / octet-string int-64 = ["+" / "-"] ("0x" 1*HEXDIG) / ("0" ; values must fit within 64 bits in two's uint-64 = ("0x" 1*HEXDIG) / ("0" 1*%x30-37) ; values must fit within 64 bits char-string = DQUOTE *(CHAR) DQUOTE octet-string = "#" *(2HEXDIG) value [wspace] *("," [wspace] value [wspace]) "}" 1*%x30-37) / 1*DIGIT complement form / 1*DIGIT lit-char = "#" / "$" / "'" / "*" / "+" / "-" / "." / "/" / ":" / ";" / "?" / "@" / "[" / "\" / "]" / "^" / "_" / "`" / "{" / "}" / "~" / %x0080-FFFF / ( "%" 4HEXDIG) ; 4HEXDIG can have any value except 0000 (NULL)
More Information#
There might be more information for this subject on one of the following:- [#1] - Security Descriptor Definition Language
- based on information obtained 2018-10-05-
- [#2] - Security_Descriptor_Definition_Language
- based on information obtained 2018-10-05-