2.4.4.17 Conditional ACEs

Conditional ACEs are a form of CALLBACK ACEs with a special format of the application data. A Conditional ACE allows a conditional expression to be evaluated when an access check (as specified in section 2.5.3.2) is performed.<56>

The following ACE types can be formatted as a Conditional ACE:

• ACCESS_ALLOWED_CALLBACK_ACE

• ACCESS_ALLOWED_CALLBACK_OBJECT_ACE

• ACCESS_DENIED_CALLBACK_ACE

• ACCESS_DENIED_CALLBACK_OBJECT_ACE

• SYSTEM_AUDIT_CALLBACK_ACE

• SYSTEM_AUDIT_CALLBACK_OBJECT_ACE

A Conditional ACE is a CALLBACK ACE in which the first four bytes of the ApplicationData field in the CALLBACK ACE structure are set to the following byte value sequence: 0x61  0x72  0x74  0x78. The remaining contents of the ApplicationData field specify a conditional expression. The conditional expression language constructs and binary representation are defined in this section.

The security descriptor definition language (SDDL) (section 2.5.1) provides syntax for defining conditional ACEs in a string format in section 2.5.1.1.