What is SecurityDescriptor format?

Question

MSDN article "How to: Configure item-level security in SharePoint 2013" mentions service returning Property with Name="WindowsSecurityDescriptorField". What is actual format, in which this information should be returned?

If there are many users/AD groups that have permissions to read the data - how are the users list returned? (eg.: domain\login, od SIDs, or else? how are they delimited?)

I want to crawl external data from OData service and I need security information, so that the index has security trimming info, but I don't know how it is implemented.

Answer 1

That field is the name of a property of your entity, which returns a byte-encoded (byte[]) representation of the encoded claims.

Here's a great example: https://blogs.msdn.microsoft.com/security_trimming_in_sharepoint_2013/2012/10/29/creating-custom-connector-sending-claims-with-sharepoint-2013/

Format as quoted from above link: The encoding is done according to the protocol documentation where:

• The first byte signals an allow or deny claim
• The second byte is always 1 to indicate that this is a non-NT security ACL (i.e. it is a claim ACL type)
• The next four bytes is the size of the following claim value array.
• The claim value string follows as a Unicode byte array. – The next four bytes following the claim value array, gives the length of the claim type
• The claim type string follows as a Unicode byte array. – The next four bytes following the claim type array, gives the length of the claim data type
• The claim data type string follows as a Unicode byte array
• The next four bytes following the claim data type array, gives the length of the claim original issuer
• The claim issuer string finally follows as a Unicode byte array