2.4.4.17 Conditional ACEs
Conditional ACEs are a form of CALLBACK ACEs with a special format of the application data. A Conditional ACE allows a conditional expression to be evaluated when an access check (as specified in section 2.5.3.2) is performed.<56>
The following ACE types can be formatted as a Conditional ACE:
A Conditional ACE is a CALLBACK ACE in which the first four bytes of the ApplicationData field in the CALLBACK ACE structure are set to the following byte value sequence: 0x61 0x72 0x74 0x78. The remaining contents of the ApplicationData field specify a conditional expression. The conditional expression language constructs and binary representation are defined in this section.
The security descriptor definition language (SDDL) (section 2.5.1) provides syntax for defining conditional ACEs in a string format in section 2.5.1.1.