KSC Open API
13.1
Kaspersky Security Center API description
|
ACL structure
+--- (paramParams) +---allowed (paramArray) // list of allowed ACEs | +---0(paramParams) | | +---account (paramParams) // information about user account, it may be internal user or OS user | | | +---dn = (paramString)"<display name>" | | | +---id = (paramString)"<WIN-SID>" // format: WIN-SID-<SID_as_uppercase_hex> | | | +---userPrincipalName = (paramString)"<principal name>" | | +---permissions (paramArray) | | | +---0 (paramParams) | | | | +---data (paramParams) | | | | +---<functional area>(paramParams) // see Functional areas | | | | +---operation_mask = (paramInt)<access mask> see Access rights | | | | +---product = (paramString)"<product>" see Functional areas | | | | +---version = (paramString)"<version>" see Functional areas | | +---inerasable = (paramBool)<true|false> // if true, this ACE cannot be deleted from ACL through console | | +---read_only = (paramBool)<true|false> // if true, this ACE cannot be modified from ACL through console | +---1 (paramParams) | +---account (paramParams) | | +---dn = (paramString) | | +---kscInternalUserId = (paramInt)<id of internal user> | +---permissions (paramArray) | +---0 (paramParams) | | +---data (paramParams) | | +---<functional area> (paramParams) | | +---operation_mask = (paramInt) | | +---product = (paramString) | | +---version = (paramString) +---denied (paramArray) // list of denied ACEs | +---0 (paramParams) | | +---account (paramParams) | | | +---dn = (paramString) | | | +---id = (paramString) | | | +---objectGUID = (paramString)<guid> //AD objectGUID attribute as paramBinary, this attribute is mandatory for non-built-in AD accounts | | +---inerasable = (paramBool)<true|false> | | +---permissions (paramArray) | | | +---4 (paramParams) | | | | +---data (paramParams) | | | | +---<functional area> (paramParams) | | | | +---operation_mask = (paramInt) | | | | +---product = (paramString) | | | | +---version = (paramString) +---roles (paramArray) // mapping users to its roles | +---0 (paramParams) | | +---account (paramParams) | | | +---dn = (paramString) | | | +---id = (paramString) | | | +---userPrincipalName = (paramString) | | +---roles (paramArray) | | | +---0 = (paramString)"<guid name of roles>" +---delete (paramArray) // users to delete from ACL; To use in HstAccessControl.ModifyScObjectAcl method only. | +---0 (paramParams) | | +---account (paramParams) | | | +---dn = (paramString) | | | +---id = (paramString) | | | +---userPrincipalName = (paramString) +---inherited = (paramBool)<true|false> // true means that an object does not have its own ACL and inherits it from a parent
Structure of 'account' object:
For internal user:
+---account (paramParams) | +---dn = (paramString)"<display name>" | +---kscInternalUserId = (paramInt)<id of internal user>
For OS user:
+---account (paramParams) | +---dn = (paramString)"<display name>" | +---id = (paramString)"<WIN-SID>" // format: WIN-SID-<SID_as_uppercase_hex> | +---kscInternalUserId = -1 | +---userPrincipalName = (paramString)"<principal name>"
For non-built-in AD accounts:
+---account (paramParams) | +---dn = (paramString)"<display name>" | +---id = (paramString)"<WIN-SID>" // format: WIN-SID-<SID_as_uppercase_hex> | +---objectGUID = (paramString)<guid> //AD objectGUID attribute as paramBinary, this attribute is mandatory for non-built-in AD accounts
If ACE has 'inerasable' == true in any part of ACL ('allowed', 'denied', or 'roles'), then this user cannot be deleted from the ACL through the console.
If ACE has 'read_only' == true in any part of ACL ('allowed', 'denied', or 'roles'), then this user's rights cannot be modified through the console.