2.4.4.17.3 Conditional ACE Applicability
If the result evaluation of the conditional expression is FALSE, then the corresponding conditional ACE does not apply in the access check evaluation.
If the result of evaluation of the conditional expression is TRUE, then the conditional ACE applies in the access check evaluation. If the conditional ACE is an ACCESS_ALLOWED_CALLBACK_ACE type or an ACCESS_ALLOWED_CALLBACK_OBJECT_ACE type and the ACE applies, then the permissions in the Mask member of the ACE_HEADER structure are granted. If the conditional ACE is an ACCESS_DENIED_CALLBACK_ACE or an ACCESS_DENIED_CALLBACK_OBJECT_ACE and the ACE applies, then the permissions are denied in the access check evaluation.
If the result of the evaluation of the conditional expression is UNKNOWN and the conditional ACE is an ACCESS_ALLOWED_CALLBACK_ACE type, then the permissions in the Mask member variable are not granted by this ACE in the access check evaluation.
If the result of the evaluation of the conditional expression is UNKNOWN and the conditional ACE is an ACCESS_DENIED_CALLBACK_ACE type, then the permissions in the Mask member variable are denied in the access check evaluation.
If the result of the evaluation of the conditional expression is UNKNOWN and the conditional ACE is an ACCESS_ALLOWED_CALLBACK_OBJECT_ACE type, then the permissions in the Mask member variable SHOULD NOT be granted by this ACE in the access check evaluation.
If the result of the evaluation of the conditional expression is UNKNOWN and the conditional ACE is an ACCESS_DENIED_CALLBACK_OBJECT_ACE, then the permissions in the Mask member variable SHOULD be denied in the access check evaluation.