Sun Identity Manager 8.1 Resources Reference

Managing ACL Lists

The nTSecurityDescriptor and the msExchMailboxSecurityDescriptor attribute values contain ACL lists that you must specify in a special way.

For example, the following shows a user form a company might use to assign a default set of permissions to each user they provision:

<Field name=’attributes[AD].nTSecurityDescriptor’ hidden=’true’>
  <Expansion>
      <list>
        <s>Domain Admins|983551|0|0|NULL|NULL</s>
        <s>NT AUTHORITY\SYSTEM|983551|0|0|NULL|NULL</s>
         <s>Account Operators|983551|0|0|NULL|NULL</s>
         <s>NT AUTHORITY\Authenticated Users|131220|0|0|NULL|NULL</s>
        <s>NT AUTHORITY\Authenticated Users|256|5|0|
{AB721A55-1E2F-11D0-9819-00AA0040529B}|NULL</s>
         <s>NT AUTHORITY\SELF|131220|0|0|NULL|NULL</s>
      </list>
   </Expansion>
</Field>

The entries in the nTSecurityDescriptor list are in the following format:

Trustee|Mask|aceType|aceFlags|objectType|InheritedObjectType

Where:

The best method in which to find the correct string to pass down, is to do the following: