Skip to main content
Version: 1.3.0

ACL Decode

Parse Security

Synopsis

Extracts and decodes Access Control List (ACL) information from fields.

Schema

- acl_decode:
    field: <ident>
    target_field: <string>
    format: <string>
    resolve_identities: <boolean>
    expand_rights: <boolean>
    simplify_output: <boolean>
    description: <text>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

FieldRequiredDefaultDescription
fieldY-Source field containing ACL data to decode
target_fieldN{field}_decodedTarget field to store decoded ACL information
formatNsddlACL format to decode (currently supports "sddl")
resolve_identitiesNfalseResolve SIDs to account names when possible
expand_rightsNfalseExpand generic rights to specific permissions
simplify_outputNfalseGenerate simplified human-readable output
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseContinue processing if decoding fails
ignore_missingNfalseSkip processing if referenced field doesn't exist
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier

Details

Decodes Access Control List (ACL) information from Security Descriptor Definition Language (SDDL) format strings. The processor extracts owner, group, DACL (Discretionary Access Control List), and SACL (System Access Control List) information from Windows security descriptors.

The processor supports various configuration options to control the level of detail in the output. By default, it provides a complete breakdown of ACL components with raw SID values and permission flags.

note

The processor currently supports SDDL format, which is the standard format used by Windows for representing security descriptors. Support for additional formats may be added in future versions.

When resolve_identities is enabled, the processor attempts to resolve well-known SID aliases (like "BA" for Administrators) to their readable names. The expand_rights option breaks down generic permissions into their constituent specific rights.

warning

If the source field contains invalid or malformed ACL data, the processor will fail unless ignore_failure is set to true. Always ensure the input data is in valid SDDL format.

Examples

Basic SDDL Decoding

Decoding a Windows SDDL security descriptor...

{
  "security_descriptor": "O:BAG:SYD:(A;;FA;;;SY)(A;;FA;;;BA)"
}
- acl_decode:
    field: security_descriptor
    target_field: acl_info

creates structured ACL information:

{
  "security_descriptor": "O:BAG:SYD:(A;;FA;;;SY)(A;;FA;;;BA)",
  "acl_info": {
    "sddl": "O:BAG:SYD:(A;;FA;;;SY)(A;;FA;;;BA)",
    "owner_sid": "BA",
    "group_sid": "SY",
    "dacl": {
      "type": "DACL",
      "flags": [],
      "aces": [
        {
          "index": 0,
          "type": "ACCESS_ALLOWED",
          "rights": ["FILE_ALL_ACCESS"],
          "principal_sid": "SY"
        }
      ]
    }
  }
}

With Identity Resolution

Resolving SID aliases to readable names...

{
  "acl": "O:BAG:SYD:(A;;FA;;;BA)(D;;FA;;;AN)"
}
- acl_decode:
    field: acl
    resolve_identities: true

includes resolved identity names:

{
  "acl": "O:BAG:SYD:(A;;FA;;;BA)(D;;FA;;;AN)",
  "acl_decoded": {
    "owner": {
      "sid": "BA",
      "name": "Administrators",
      "type": "well_known"
    },
    "group": {
      "sid": "SY", 
      "name": "Local System",
      "type": "well_known"
    },
    "dacl": {
      "aces": [
        {
          "type": "ACCESS_ALLOWED",
          "principal": {
            "name": "Administrators"
          }
        }
      ]
    }
  }
}

Simplified Output

Generating human-readable simplified output...

{
  "file_acl": "O:SYG:SYD:(A;;FA;;;SY)(A;;FR;;;BU)"
}
- acl_decode:
    field: file_acl
    resolve_identities: true
    simplify_output: true

creates simplified permission summary:

{
  "file_acl": "O:SYG:SYD:(A;;FA;;;SY)(A;;FR;;;BU)",
  "file_acl_decoded": {
    "simplified": {
      "owner": "Local System",
      "group": "Local System", 
      "permissions": [
        "Allow Local System: FILE_ALL_ACCESS",
        "Allow Users: FILE_GENERIC_READ"
      ]
    }
  }
}

Array Processing

Processing multiple ACL strings from an array...

{
  "acl_list": [
    "O:BAG:SYD:(A;;FA;;;BA)",
    "O:SYG:SYD:(A;;FR;;;BU)"
  ]
}
- acl_decode:
    field: acl_list
    target_field: decoded_acls
    resolve_identities: true

processes each ACL in the array:

{
  "acl_list": [
    "O:BAG:SYD:(A;;FA;;;BA)",
    "O:SYG:SYD:(A;;FR;;;BU)"
  ],
  "decoded_acls": [
    {
      "owner": {"name": "Administrators"},
      "dacl": {"aces": [...]}
    },
    {
      "owner": {"name": "Local System"},
      "dacl": {"aces": [...]}
    }
  ]
}