Appendix A: SDDL for Mandatory Labels

The SDDL is a convenient way to represent access permissions in a string format. SDDL defines ACE strings and SID strings to represent fields of access control entries. You can use the ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor functions to convert the mandatory label ACE from a binary to a string format and back.

The definitions for SDDL strings are in the header file, sddl.h.

The SDDL string for a mandatory label ACE is defined as follows:

#define SDDL_MANDATORY_LABEL        TEXT("ML") // Integrity label
The SDDL strings for the mandatory label policy flags, which are in the access mask, are the following:
#define SDDL_NO_WRITE_UP          TEXT("NW")
#define SDDL_NO_READ_UP           TEXT("NR")
#define SDDL_NO_EXECUTE_UP         TEXT("NX")
The SDDL SID strings for the integrity levels are the following:
#define SDDL_ML_LOW          TEXT("LW")
#define SDDL_ML_MEDIUM          TEXT("ME")
#define SDDL_ML_HIGH          TEXT("HI")
#define SDDL_ML_SYSTEM          TEXT("SI")

An example of the SDDL for a mandatory label ACE in a SACL that specifies NO_WRITE_UP policy for low integrity level is the following: S:(ML;;NW;;;LW).

You can use SDDL strings with the ConvertStringSecurityDescriptorToSecurityDescriptor function to initialize a security descriptor with an explicit mandatory label that can be used as the security attributes parameter when creating a new object, such as a file, using CreateFile.


When using ConvertSecurityDescriptorToStringSecurityDescriptor, specify the new security information flag, LABEL_SECURITY_INFORMATION, in order to convert an explicit mandatory label into the SDDL string equivalent. Without the LABEL_SECURITY_INFORMATION flag, a mandatory label, if it exists, will not show up in the SACL portion of the string.