KSC Open API
Kaspersky Security Center API description
ACL structure 2

ACL structure

+--- (paramParams)
     +---allowed (paramArray) // list of allowed ACEs
     |   +---0(paramParams)
     |   |   +---account (paramParams) // information about user account, it may be internal user or OS user
     |   |   |   +---dn = (paramString)"<display name>"
     |   |   |   +---id = (paramString)"<WIN-SID>" // format: WIN-SID-<SID_as_uppercase_hex>
     |   |   |   +---userPrincipalName = (paramString)"<principal name>"
     |   |   +---permissions (paramArray)
     |   |   |   +---0 (paramParams)
     |   |   |   |   +---data (paramParams)
     |   |   |   |       +---<functional area>(paramParams) // see Functional areas
     |   |   |   |           +---operation_mask = (paramInt)<access mask> see Access rights
     |   |   |   |           +---product = (paramString)"<product>" see Functional areas
     |   |   |   |           +---version = (paramString)"<version>" see Functional areas
     |   |   +---inerasable = (paramBool)<true|false> // if true, this ACE cannot be deleted from ACL through console
     |   |   +---read_only = (paramBool)<true|false> // if true, this ACE cannot be modified from ACL through console
     |   +---1 (paramParams)
     |       +---account (paramParams)
     |       |   +---dn = (paramString)
     |       |   +---kscInternalUserId = (paramInt)<id of internal user>
     |       +---permissions (paramArray)
     |           +---0 (paramParams)
     |           |   +---data (paramParams)
     |           |       +---<functional area> (paramParams)
     |           |           +---operation_mask = (paramInt)
     |           |           +---product = (paramString)
     |           |           +---version = (paramString)
     +---denied (paramArray) // list of denied ACEs
     |   +---0 (paramParams)
     |   |   +---account (paramParams)
     |   |   |   +---dn = (paramString)
     |   |   |   +---id = (paramString)
     |   |   |   +---objectGUID = (paramString)<guid> //AD objectGUID attribute as paramBinary, this attribute is mandatory for non-built-in AD accounts
     |   |   +---inerasable = (paramBool)<true|false>
     |   |   +---permissions (paramArray)
     |   |   |   +---4 (paramParams)
     |   |   |   |   +---data (paramParams)
     |   |   |   |       +---<functional area> (paramParams)
     |   |   |   |           +---operation_mask = (paramInt)
     |   |   |   |           +---product = (paramString)
     |   |   |   |           +---version = (paramString)
     +---roles (paramArray) // mapping users to its roles
     |   +---0 (paramParams)
     |   |   +---account (paramParams)
     |   |   |   +---dn = (paramString)
     |   |   |   +---id = (paramString)
     |   |   |   +---userPrincipalName = (paramString)
     |   |   +---roles (paramArray)
     |   |   |   +---0 = (paramString)"<guid name of roles>"
     +---delete (paramArray) // users to delete from ACL; To use in HstAccessControl.ModifyScObjectAcl method only.
     |   +---0 (paramParams)
     |   |   +---account (paramParams)
     |   |   |   +---dn = (paramString)
     |   |   |   +---id = (paramString)
     |   |   |   +---userPrincipalName = (paramString)
     +---inherited = (paramBool)<true|false> // true means that an object does not have its own ACL and inherits it from a parent
     

Structure of 'account' object:
For internal user:

     +---account (paramParams)
     |   +---dn = (paramString)"<display name>"
     |   +---kscInternalUserId = (paramInt)<id of internal user>
     

For OS user:

     +---account (paramParams)
     |   +---dn = (paramString)"<display name>"
     |   +---id = (paramString)"<WIN-SID>" // format: WIN-SID-<SID_as_uppercase_hex>
     |   +---kscInternalUserId = -1
     |   +---userPrincipalName = (paramString)"<principal name>"
     

For non-built-in AD accounts:

     +---account (paramParams)
     |   +---dn = (paramString)"<display name>"
     |   +---id = (paramString)"<WIN-SID>" // format: WIN-SID-<SID_as_uppercase_hex>
     |   +---objectGUID = (paramString)<guid> //AD objectGUID attribute as paramBinary, this attribute is mandatory for non-built-in AD accounts
     

If ACE has 'inerasable' == true in any part of ACL ('allowed', 'denied', or 'roles'), then this user cannot be deleted from the ACL through the console.
If ACE has 'read_only' == true in any part of ACL ('allowed', 'denied', or 'roles'), then this user's rights cannot be modified through the console.