!!! Overview
[{$pagename}] ([SDDL]) [string] defines the [string] format that is used to describe a [Security Descriptor]  single sequence of characters. The format can be [ANSI] or [Unicode]; the actual [protocol] [MUST] specify the character set that is used. Regardless of the character set used, the characters that can be used are alphanumeric and punctuation.The format for an SDDL [string] is described by the following [ABNF] (as specified in [RFC 5234]) grammar, where the elements are:

%%prettify 
{{{
sddl = [owner-string] [group-string] [dacl-string] [sacl-string] owner-string = "O:" sid-string
group-string = "G:" sid-string
dacl-string = "D:" [acl-flag-string] [aces]
sacl-string = "S:" [acl-flag-string] [aces]
sid-string = sid-token / sid-value
sid-value = SID;defined in section 2.4.2.1
sid-token = "DA"/ "DG" / "DU" / "ED" / "DD" / "DC" / "BA" / "BG" / "BU" /
"LA" / "LG" / "AO" / "BO" / "PO" / "SO" / "AU" / "PS" "PU" / "WD" / "RE" / "IU" / "NU" / "SU" / "RC" / "WR" "RS" / "EA" / "PA" / "RU" / "LS" / "NS" / "RD" / "NO" "CY" / "OW" / "ER" / "RO" / "CD" / "AC" / "RA" / "ES" "CN"/"AA"/"RM"/"LW"/"ME"/"MP"/ "HI"/"SI"
acl-flag-string = *acl-flag
acl-flag = "P" / "AR" / "AI"
/ "CO" /
/ "AN" /
/ "MU" /
/ "MS" /
"CG" / "SY" /
"SA" / "CA" /
"LU" / "IS" /
"UD" / "HA" /
aces = *(ace / conditional-ace / resource-attribute-ace)
ace = "(" ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ")"
ace-type = "A" / "D" / "OA" / "OD" / "AU" / "OU" / "ML" / "SP"
conditional-ace = "(" conditional-ace-type ";" [ace-flag-string] ";" ace-rights
";" [object-guid] ";" [inherit-object-guid] ";" sid-string ";" "(" cond-expr ")" ")"
conditional-ace-type = "XA" / "XD" / "ZA" / "XU"
central-policy-ace = "(" "SP" ";" [ace-flag-string] ";;;;" capid-value-sid")"
capid-value-sid = "S-1-17-" 1*SubAuthority ; SubAuthority defined in section 2.4.2.1
resource-attribute-ace = "(" "RA" ";" [ace-flag-string] ";;;;" ( "WD" /
  "S-1-1-0" ) ";(" attribute-data "))"
attribute-data = DQUOTE 1*attr-char2 DQUOTE "," ( TI-attr / TU-attr / TS-attr / TD-attr / TX-attr / TB-attr )
*("," int-64)
*("," uint-64)
*("," char-string)
*("," sid-string)
*("," octet-string)
*("," ( "0" / "1" ) )
"00"] sys-attr-flags / *"0" sys-attr-flags /
    TI-attr = "TI" "," attr-flags
    TU-attr = "TU" "," attr-flags
    TS-attr = "TS" "," attr-flags
    TD-attr = "TD" "," attr-flags
    TX-attr = "TX" "," attr-flags
    TB-attr = "TB" "," attr-flags
    attr-flags = "0x" ([*4HEXDIG
    *"0" HEXDIG)
sys-attr-flags = ( "0"/ "1" /
ace-flag-string = ace-flag ace-flag-string / "" ace-flag = "CI" / "OI" / "NP" / "IO" / "ID" / "SA" / "FA"
ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / (1*DIGIT )
      ; numeric values must fit within 64 bits
text-rights-string = generic-rights-string / standard-rights-string / object-specific-rights-string
generic-rights-string = generic-right / generic-rights-string / ""
    generic-right = "GA" / "GW" / "GR" / "GX"
standard-rights-string = standard-right / standard-rights-string / ""
standard-right = "WO" / "WD" / "RC" / "SD"
object-specific-rights-string = object-specific-right / object-specific- rights-string / ""
object-specific-right = <any object-specific right, for objects like files, registry keys, directory objects, and others>
guid = "" / 8HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 12HEXDIG
; The second option is the GUID of the object in the form
; "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" Where each "X" is a Hex digit
    object-guid = guid
    inherit-object-guid = guid
    wspace = 1*(%x09-0D / %x20)
term = [wspace] (memberof-op / exists-op / rel-op / contains-op / anyof-op / attr-name / rel-op2) [wspace]
cond-expr = term / term [wspace] ("||" / "&&" ) [wspace] cond-expr / (["!"] [wspace] "(" cond-expr ")")
memberof-op = ( "Member_of" / "Not_Member_of" / "Member_of_Any" / "Not_Member_of_Any" / "Device_Member_of" / "Device_Member_of_Any" / "Not_Device_Member_of" / "Not_Device_Member_of_Any" ) wspace sid-array
exists-op = ( "Exists" / "Not_exists") wspace attr-name
rel-op = attr-name [wspace] ("<" / "<=" / ">" / ">=") [wspace] (attr-name2 / value) ; only scalars
rel-op2 = attr-name [wspace] ("==" / "!=") [wspace] ( attr-name2 / value-array ) ; scalar or list
contains-op = attr-name wspace ("Contains" / "Not_Contains") wspace (attr-name2 / value- array)
anyof-op = attr-name wspace ("Any_of" / "Not_Any_of") wspace (attr-name2 / value-array)
attr-name1 = attr-char1 *(attr-char1 / "@") ; old simple name
attr-char1 = 1*(ALPHA / DIGIT / ":" / "." / "/" / "_")
attr-name2 = ("@user." / "@device." / "@resource.") 1*attr-char2 ; new prefixed name form
attr-char2 = attr-char1 / lit-char
attr-name = attr-name1 / attr-name2
  ; either name form
sid-array = literal-SID [wspace] / "{" [wspace] literal-SID [wspace] *( "," [wspace] literal- SID [wspace]) "}"
literal-SID = "SID(" sid-string ")"
value-array = value [wspace] / "{" [wspace]
value = int-64 / char-string / octet-string
int-64 = ["+" / "-"] ("0x" 1*HEXDIG) / ("0" ; values must fit within 64 bits in two's
uint-64 = ("0x" 1*HEXDIG) / ("0" 1*%x30-37) ; values must fit within 64 bits
char-string = DQUOTE *(CHAR) DQUOTE octet-string = "#" *(2HEXDIG)
value [wspace] *("," [wspace] value [wspace]) "}"
1*%x30-37) / 1*DIGIT
complement form
/ 1*DIGIT
lit-char = "#" / "$" / "'" / "*" / "+" / "-" / "." / "/" / ":" / ";" / "?" / "@" / "[" / "\" / "]" / "^" / "_" / "`" / "{" / "}" / "~" / %x0080-FFFF /
( "%" 4HEXDIG)
; 4HEXDIG can have any value except 0000 (NULL)
}}} 
/%

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Security Descriptor Definition Language|https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/security-descriptor-definition-language|target='_blank'] - based on information obtained 2018-10-05- 
* [#2] - [Security_Descriptor_Definition_Language|Wikipedia:Security_Descriptor_Definition_Language|target='_blank'] - based on information obtained 2018-10-05-