2.4.4.17.6 Relational Operator Tokens
Each relational operator examines one or more attribute values and evaluates to TRUE, FALSE or UNKNOWN, according to the defined behavior of the operator in the following table. In addition to the TRUE and FALSE values specified for each operator in the table, each relational operator MUST return "UNKNOWN" if the attribute tested does not exist in the security context.
For all operators other than the relational operators ==, Contains, and Any_of, and the logical operator Exists, when multivalued attributes are on the left- and/or right-hand side of an operator, the operation will fail and produce an UNKNOWN value.
If any processing rule returns an error, then the entire conditional expression evaluates to UNKNOWN, regardless of the rest of the expression.
Unary Relational Operators:
The operand type MUST be either a SID literal, or a composite, each of whose elements is a SID literal.
The operand for unary operators is the variable on the top of the evaluation stack as specified in the EvaluateAceCondition algorithm in section 2.5.3.1.5.
|
Token Type |
Byte-Code |
Processing |
|---|---|---|
|
Member_of |
0x89 |
SDDL Form: Member_of operand Return TRUE if SIDs[] array (section 2.5.2) contains all of the SIDs in the operand; FALSE otherwise. |
|
Device_Member_of<57> |
0x8a |
SDDL Form: Device_Member_of operand Return TRUE if DeviceSIDs[] array (section 2.5.2) contains all of the SIDs in the operand; FALSE otherwise. |
|
Member_of_Any<58> |
0x8b |
SDDL Form: Member_of_Any operand Return TRUE if SIDs[] array (section 2.5.2) contains any of the SIDs in the operand; FALSE otherwise. |
|
Device_Member_of_Any<59> |
0x8c |
SDDL Form: Device_Member_of_Any operand Return TRUE if DeviceSIDs[] array (section 2.5.2) contains any of the SIDs in the operand; FALSE otherwise. |
|
Not_Member_of<60> |
0x90 |
SDDL Form: Not_Member_of operand Logical inverse of Member_of. |
|
Not_Device_Member_of<61> |
0x91 |
SDDL Form: Not_Device_Member_of operand Logical inverse of Device_Member_of. |
|
Not_Member_of_Any<62> |
0x92 |
SDDL Form: Not_Member_of_Any operand Logical inverse of Not_Member_of_Any. |
|
Not_Device_Member_of_Any<63> |
0x93 |
SDDL Form: Not_Device_Member_of_Any operand Logical inverse of Device_Member_of_Any. |
Binary Relational Operators
Binary relational operators compare left-hand-side (LHS) and right-hand-side (RHS) operands. The LHS MUST contain an attribute name in simple or @Prefixed form.<64> The RHS MUST contain an attribute in @Prefixed form or literals representing values of the same value type as the attribute variable on the LHS. If the LHS and RHS operands are of different types, then the entire conditional expression evaluates to UNKNOWN. Note, however, that BOOLEAN values TRUE and FALSE can be compared to the literal integers "1" and "0", but only when using the == or != operators.
Relational operators that compare string and octet string values compare each string operand byte by byte, terminating when the compared bytes differ in value. If a string is a prefix of a string it is compared to, the longer string is considered greater. The comparison is case-insensitive, unless the CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE flag value is set in the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structure (section 2.4.10.1).<65>
If the type of an operand is "Result Value" then the operation returns an error.
If the type of an operand is "Local Attribute", "Resource Attribute", "Device Attribute" or "User Attribute" and the value is null then the logical value of the operand is UNKNOWN.
If the value of either operand is UNKNOWN then the operation returns UNKNOWN.
In the following processing rules, the LHS is the second variable on the stack and the RHS is the top of the stack as specified in the EvaluateAceCondition algorithm in section 2.5.3.1.5.
|
Token Type |
Byte-Code |
Processing |
|---|---|---|
|
== |
0x80 |
SDDL form: (LHS == RHS) MUST evaluate to TRUE if the argument on the RHS evaluates to the exact value (single or set value) of the argument on the LHS; otherwise, FALSE. |
|
!= |
0x81 |
SDDL form: (LHS != RHS) MUST evaluate to FALSE if the argument on the RHS evaluates to the exact value of the argument on LHS; otherwise, TRUE. |
|
< |
0x82 |
SDDL form: (LHS < RHS) MUST evaluate to TRUE if the argument on the LHS is less than the argument on the RHS; otherwise, FALSE. |
|
<= |
0x83 |
SDDL form: (LHS <= RHS) MUST evaluate to TRUE if the argument on the LHS is less than, or equal to, the argument on the RHS; otherwise, FALSE. |
|
> |
0x84 |
SDDL form: (LHS > RHS) MUST evaluate to TRUE if the argument on the LHS is greater than the argument on the RHS; otherwise, FALSE. |
|
>= |
0x85 |
SDDL form: (LHS >= RHS) MUST evaluate to TRUE if the argument on the LHS is greater than, or equal to, the argument on the RHS; otherwise, FALSE. |
|
Contains |
0x86 |
SDDL Form: LHS Contains RHS LHS MUST be an attribute name in simple or @Prefixed form. RHS MUST be a set of one or more literals, or an attribute name in @Prefixed form. MUST evaluate to TRUE if the value(s) for the specified LHS includes value(s) identical to each of the value(s) specified by the RHS; otherwise, FALSE.<66> |
|
Any_of |
0x88 |
SDDL Form: LHS Any_of RHS LHS MUST be an attribute name in simple or @Prefixed form. RHS MUST be a set of one or more literals, or an attribute name in @Prefixed form. MUST evaluate to TRUE if the RHS value set includes one or more of the value(s) of the specified LHS; otherwise, FALSE. RHS can be either a set or a single value.<67> |
|
Not_Contains<68> |
0x8e |
SDDL Form: LHS Not_Contains RHS Logical inverse of Contains. |
|
Not_Any_of<69> |
0x8f |
Form: LHS Not_Any_of RHS Logical inverse of Any_of. |