Overview#
Security Descriptor Description Language (SDDL) string is a single sequence of characters.The format can be ANSI or Unicode; the actual protocol MUST specify the character set that is used. Regardless of the character set used, the characters that can be used are alphanumeric and punctuation.
The format for an SDDL string is described by the following ABNF (as specified in RFC 5234) grammar, where the elements are:
sddl = [owner-string] [group-string] [dacl-string] [sacl-string] owner-string = "O:" sid-string
group-string = "G:" sid-string
dacl-string = "D:" [acl-flag-string] [aces]
sacl-string = "S:" [acl-flag-string] [aces]
sid-string = sid-token / sid-value
sid-value = SID;defined in section 2.4.2.1
sid-token = "DA"/ "DG" / "DU" / "ED" / "DD" / "DC" / "BA" / "BG" / "BU" /
"LA" / "LG" / "AO" / "BO" / "PO" / "SO" / "AU" / "PS" "PU" / "WD" / "RE" / "IU" / "NU" / "SU" / "RC" / "WR" "RS" / "EA" / "PA" / "RU" / "LS" / "NS" / "RD" / "NO" "CY" / "OW" / "ER" / "RO" / "CD" / "AC" / "RA" / "ES" "CN"/"AA"/"RM"/"LW"/"ME"/"MP"/ "HI"/"SI"
acl-flag-string = *acl-flag
acl-flag = "P" / "AR" / "AI"
/ "CO" /
/ "AN" /
/ "MU" /
/ "MS" /
"CG" / "SY" /
"SA" / "CA" /
"LU" / "IS" /
"UD" / "HA" /
aces = *(ace / conditional-ace / resource-attribute-ace)
ace = "(" ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ")"
ace-type = "A" / "D" / "OA" / "OD" / "AU" / "OU" / "ML" / "SP"
conditional-ace = "(" conditional-ace-type ";" [ace-flag-string] ";" ace-rights
";" [object-guid] ";" [inherit-object-guid] ";" sid-string ";" "(" cond-expr ")" ")"
conditional-ace-type = "XA" / "XD" / "ZA" / "XU"
central-policy-ace = "(" "SP" ";" [ace-flag-string] ";;;;" capid-value-sid")"
capid-value-sid = "S-1-17-" 1*SubAuthority ; SubAuthority defined in section 2.4.2.1
resource-attribute-ace = "(" "RA" ";" [ace-flag-string] ";;;;" ( "WD" /
"S-1-1-0" ) ";(" attribute-data "))"
attribute-data = DQUOTE 1*attr-char2 DQUOTE "," ( TI-attr / TU-attr / TS-attr / TD-attr / TX-attr / TB-attr )
*("," int-64)
*("," uint-64)
*("," char-string)
*("," sid-string)
*("," octet-string)
*("," ( "0" / "1" ) )
"00"] sys-attr-flags / *"0" sys-attr-flags /
TI-attr = "TI" "," attr-flags
TU-attr = "TU" "," attr-flags
TS-attr = "TS" "," attr-flags
TD-attr = "TD" "," attr-flags
TX-attr = "TX" "," attr-flags
TB-attr = "TB" "," attr-flags
attr-flags = "0x" ([*4HEXDIG
*"0" HEXDIG)
sys-attr-flags = ( "0"/ "1" /
ace-flag-string = ace-flag ace-flag-string / "" ace-flag = "CI" / "OI" / "NP" / "IO" / "ID" / "SA" / "FA"
ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / (1*DIGIT )
; numeric values must fit within 64 bits
text-rights-string = generic-rights-string / standard-rights-string / object-specific-rights-string
generic-rights-string = generic-right / generic-rights-string / ""
generic-right = "GA" / "GW" / "GR" / "GX"
standard-rights-string = standard-right / standard-rights-string / ""
standard-right = "WO" / "WD" / "RC" / "SD"
object-specific-rights-string = object-specific-right / object-specific- rights-string / ""
object-specific-right = <any object-specific right, for objects like files, registry keys, directory objects, and others>
guid = "" / 8HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 12HEXDIG
; The second option is the GUID of the object in the form
; "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" Where each "X" is a Hex digit
object-guid = guid
inherit-object-guid = guid
wspace = 1*(%x09-0D / %x20)
term = [wspace] (memberof-op / exists-op / rel-op / contains-op / anyof-op / attr-name / rel-op2) [wspace]
cond-expr = term / term [wspace] ("||" / "&&" ) [wspace] cond-expr / (["!"] [wspace] "(" cond-expr ")")
memberof-op = ( "Member_of" / "Not_Member_of" / "Member_of_Any" / "Not_Member_of_Any" / "Device_Member_of" / "Device_Member_of_Any" / "Not_Device_Member_of" / "Not_Device_Member_of_Any" ) wspace sid-array
exists-op = ( "Exists" / "Not_exists") wspace attr-name
rel-op = attr-name [wspace] ("<" / "<=" / ">" / ">=") [wspace] (attr-name2 / value) ; only scalars
rel-op2 = attr-name [wspace] ("==" / "!=") [wspace] ( attr-name2 / value-array ) ; scalar or list
contains-op = attr-name wspace ("Contains" / "Not_Contains") wspace (attr-name2 / value- array)
anyof-op = attr-name wspace ("Any_of" / "Not_Any_of") wspace (attr-name2 / value-array)
attr-name1 = attr-char1 *(attr-char1 / "@") ; old simple name
attr-char1 = 1*(ALPHA / DIGIT / ":" / "." / "/" / "_")
attr-name2 = ("@user." / "@device." / "@resource.") 1*attr-char2 ; new prefixed name form
attr-char2 = attr-char1 / lit-char
attr-name = attr-name1 / attr-name2
; either name form
sid-array = literal-SID [wspace] / "{" [wspace] literal-SID [wspace] *( "," [wspace] literal- SID [wspace]) "}"
literal-SID = "SID(" sid-string ")"
value-array = value [wspace] / "{" [wspace]
value = int-64 / char-string / octet-string
int-64 = ["+" / "-"] ("0x" 1*HEXDIG) / ("0" ; values must fit within 64 bits in two's
uint-64 = ("0x" 1*HEXDIG) / ("0" 1*%x30-37) ; values must fit within 64 bits
char-string = DQUOTE *(CHAR) DQUOTE octet-string = "#" *(2HEXDIG)
value [wspace] *("," [wspace] value [wspace]) "}"
1*%x30-37) / 1*DIGIT
complement form
/ 1*DIGIT
lit-char = "#" / "$" / "'" / "*" / "+" / "-" / "." / "/" / ":" / ";" / "?" / "@" / "[" / "\" / "]" / "^" / "_" / "`" / "{" / "}" / "~" / %x0080-FFFF /
( "%" 4HEXDIG)
; 4HEXDIG can have any value except 0000 (NULL)
