SID Format
A Security Identifier (SID) is a variable-length binary value that uniquely identifies a principal -- a user, group, service, machine, or well-known entity. SIDs are the fundamental identity primitive in KACS. They appear in tokens (as identity), in Security Descriptors (as access rules), and as references throughout the system.
§2.1.1 Binary format
A SID is encoded as a contiguous binary structure (MS-DTYP §2.4.2):
| Offset | Size | Field | Description |
|---|---|---|---|
| 0 | 1 | Revision | MUST be 1. |
| 1 | 1 | SubAuthorityCount | Number of sub-authorities. MUST be between 0 and 15 inclusive. |
| 2 | 6 | IdentifierAuthority | A 6-byte big-endian value identifying the authority that issued the SID. |
| 8 | 4 × SubAuthorityCount | SubAuthority[] | Array of 32-bit unsigned integers in little-endian byte order. |
The total size of a SID in bytes is 8 + (4 × SubAuthorityCount). The minimum size is 8 bytes (zero sub-authorities). The maximum size is 68 bytes (15 sub-authorities).
The last sub-authority in a SID is the Relative Identifier (RID) -- the portion that distinguishes individual principals within a domain.
§2.1.2 String format
SIDs are represented in string form as:
S-1-{authority}-{sub1}-{sub2}-...-{subN}
Where:
Sis a literal prefix.1is the revision number.{authority}is the IdentifierAuthority. If the upper 2 bytes are zero, this is the decimal representation of the lower 4 bytes. Otherwise, it is the lowercase hexadecimal representation of all 6 bytes, zero-padded to 12 hex digits and prefixed with0x.- Each
{subN}is the decimal representation of the corresponding 32-bit sub-authority.
S-1-5-18 (Local System), S-1-5-32-544 (BUILTIN\Administrators), S-1-5-21-3623811015-3361044348-30300820-1013 (a domain user).§2.1.3 Comparison
Two SIDs are equal if and only if their binary representations are byte-for-byte identical. Comparison MUST be performed on the binary encoding, not the string form. There is no case sensitivity, normalization, or equivalence relation -- equality is exact binary match.
§2.1.4 SID_AND_ATTRIBUTES
Groups, restricted SIDs, device groups, and confinement capabilities are stored as SID_AND_ATTRIBUTES structures -- a SID paired with a 32-bit attributes field.
| Field | Type | Description |
|---|---|---|
| Sid | SID | The security identifier. |
| Attributes | u32 | Bitfield controlling how the SID participates in access evaluation. |
The following attribute flags are defined:
| Flag | Value | Description |
|---|---|---|
| SE_GROUP_MANDATORY | 0x00000001 | The group cannot be disabled via AdjustGroups. |
| SE_GROUP_ENABLED_BY_DEFAULT | 0x00000002 | The group is enabled when the token is created. |
| SE_GROUP_ENABLED | 0x00000004 | The group is currently enabled for access checking. Allow ACEs match only enabled groups. |
| SE_GROUP_OWNER | 0x00000008 | The group can be set as the default owner for new objects. |
| SE_GROUP_USE_FOR_DENY_ONLY | 0x00000010 | The group matches deny ACEs but not allow ACEs. Set permanently by FilterToken; cannot be reverted. |
| SE_GROUP_INTEGRITY | 0x00000020 | Used to identify an integrity level SID. |
| SE_GROUP_INTEGRITY_ENABLED | 0x00000040 | Used with SE_GROUP_INTEGRITY. |
| SE_GROUP_LOGON_ID | 0xC0000000 | Identifies the logon SID -- the per-LogonSession SID generated at authentication time. Cannot be disabled. |
| SE_GROUP_RESOURCE | 0x20000000 | The group is a domain-local group from the resource domain. |
A group participates in allow-ACE matching only if SE_GROUP_ENABLED is set and SE_GROUP_USE_FOR_DENY_ONLY is not set. A group participates in deny-ACE matching if SE_GROUP_ENABLED is set OR SE_GROUP_USE_FOR_DENY_ONLY is set.
SE_GROUP_INTEGRITY and SE_GROUP_INTEGRITY_ENABLED are defined for SID_AND_ATTRIBUTES ABI/catalog parity. KACS MIC does not derive token integrity from normal group entries carrying those flags. Token integrity is the token's integrity_level field, and TokenIntegrityLevel queries return the corresponding binary S-1-16-* integrity SID directly.
SE_GROUP_RESOURCE is metadata on a supplied group SID identifying it as a domain-local group from the resource domain. KACS v0.22 does not synthesize, expand, or resolve resource-domain groups. AccessCheck treats a resource group as an ordinary group SID; allow and deny participation is still controlled by SE_GROUP_ENABLED and SE_GROUP_USE_FOR_DENY_ONLY.