inspec/docs/resources/security_identifier.md.erb

---
title: About the security_identifier Resource
platform: windows
---

# security_identifier

Use the `security_identifier` Chef InSpec resource to test the [Security Identifier (SID)](https://docs.microsoft.com/en-us/windows/desktop/secauthz/security-identifiers) for user and group trustees on Windows.  

<br>

## Availability

### Installation

This resource is distributed along with Chef InSpec itself. You can use it automatically.

## Resource Parameters

A `security_identifier` resource should specify the name and type of the trustee to test the SID for:

    describe security_identifier(group: 'Everyone') do
      its('sid') { should eq 'S-1-1-0' }
    end

where

* `group:` specifies that `'Everyone'` should be a group. `user:` can be used to specify a user account.
** It is necessary to declare the type of the trustee because Windows allows users, groups and other entities to share names. If you really need to not specify the type, `unspecified:` can be used. This will attempt to match the name to a group and then a useraccount. This may take longer to execute and comes with the risk of Chef InSpec matching the name to an unintended trustee.

<br>

## Examples

The following examples show how to use this Chef InSpec resource.

### Verify that the Admnistrator user has a SID

    describe security_identifier(user: 'Administrator') do
      it { should exist }
    end

### Verify that a SID is the expected value

    describe security_identifier(group: 'Everyone') do
      its('sid') { should eq 'S-1-1-0' }
    end

### Use in conjunction with the security_policy resource to specify the trustee to test for in the audit policy

    describe security_policy do
      its("SeRemoteInteractiveLogonRight") { should_not include security_identifier(group: 'Guests') }
    end

<br>

## Properties

* `sid`

## Property Examples

### sid

    describe security_identifier(group: 'Everyone') do
      its('sid') { should eq 'S-1-1-0' }
    end

## Matchers

This Chef InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

### exist

For this resource, `exist` is true if a Security Identifier (SID) exists on the target host for the specified trustee.
New resource to work with Windows security identifiers (SIDs) (#3405) * Resource for a Windows Security Identifier (SID) * Integration tests for security_identifier resource * Address rubocop violations * Improve security_identifier from PR feedback * Update security_identifier tests * Improve security_identifier unit tests * Fix unit tests fpr security_identifier resource * More security_identifier unit tests * Add docs page for security_identifier resource * Fix issues with documentation * Improve docs Link to Microsoft reference page, and use their term 'trustee' instead of 'entity' where applicable. * Change exists to exist * Test appveyor file changes. Signed-off-by: Jared Quick <jquick@chef.io> 2018-10-19 13:01:00 +00:00			`---`
			`title: About the security_identifier Resource`
			`platform: windows`
			`---`

			`# security_identifier`

Update software name from InSpec to Chef Inspec Signed-off-by: IanMadd <maddaus@protonmail.com> 2019-04-26 18:24:29 +00:00			Use the `security_identifier` Chef InSpec resource to test the [Security Identifier (SID)](https://docs.microsoft.com/en-us/windows/desktop/secauthz/security-identifiers) for user and group trustees on Windows.
New resource to work with Windows security identifiers (SIDs) (#3405) * Resource for a Windows Security Identifier (SID) * Integration tests for security_identifier resource * Address rubocop violations * Improve security_identifier from PR feedback * Update security_identifier tests * Improve security_identifier unit tests * Fix unit tests fpr security_identifier resource * More security_identifier unit tests * Add docs page for security_identifier resource * Fix issues with documentation * Improve docs Link to Microsoft reference page, and use their term 'trustee' instead of 'entity' where applicable. * Change exists to exist * Test appveyor file changes. Signed-off-by: Jared Quick <jquick@chef.io> 2018-10-19 13:01:00 +00:00
			`<br>`

			`## Availability`

			`### Installation`

Update software name from InSpec to Chef Inspec Signed-off-by: IanMadd <maddaus@protonmail.com> 2019-04-26 18:24:29 +00:00			`This resource is distributed along with Chef InSpec itself. You can use it automatically.`
New resource to work with Windows security identifiers (SIDs) (#3405) * Resource for a Windows Security Identifier (SID) * Integration tests for security_identifier resource * Address rubocop violations * Improve security_identifier from PR feedback * Update security_identifier tests * Improve security_identifier unit tests * Fix unit tests fpr security_identifier resource * More security_identifier unit tests * Add docs page for security_identifier resource * Fix issues with documentation * Improve docs Link to Microsoft reference page, and use their term 'trustee' instead of 'entity' where applicable. * Change exists to exist * Test appveyor file changes. Signed-off-by: Jared Quick <jquick@chef.io> 2018-10-19 13:01:00 +00:00
			`## Resource Parameters`

			A `security_identifier` resource should specify the name and type of the trustee to test the SID for:

			`describe security_identifier(group: 'Everyone') do`
			`its('sid') { should eq 'S-1-1-0' }`
			`end`

			`where`

			* `group:` specifies that `'Everyone'` should be a group. `user:` can be used to specify a user account.
Update software name from InSpec to Chef Inspec Signed-off-by: IanMadd <maddaus@protonmail.com> 2019-04-26 18:24:29 +00:00			** It is necessary to declare the type of the trustee because Windows allows users, groups and other entities to share names. If you really need to not specify the type, `unspecified:` can be used. This will attempt to match the name to a group and then a useraccount. This may take longer to execute and comes with the risk of Chef InSpec matching the name to an unintended trustee.
New resource to work with Windows security identifiers (SIDs) (#3405) * Resource for a Windows Security Identifier (SID) * Integration tests for security_identifier resource * Address rubocop violations * Improve security_identifier from PR feedback * Update security_identifier tests * Improve security_identifier unit tests * Fix unit tests fpr security_identifier resource * More security_identifier unit tests * Add docs page for security_identifier resource * Fix issues with documentation * Improve docs Link to Microsoft reference page, and use their term 'trustee' instead of 'entity' where applicable. * Change exists to exist * Test appveyor file changes. Signed-off-by: Jared Quick <jquick@chef.io> 2018-10-19 13:01:00 +00:00
			`<br>`

			`## Examples`

Update software name from InSpec to Chef Inspec Signed-off-by: IanMadd <maddaus@protonmail.com> 2019-04-26 18:24:29 +00:00			`The following examples show how to use this Chef InSpec resource.`
New resource to work with Windows security identifiers (SIDs) (#3405) * Resource for a Windows Security Identifier (SID) * Integration tests for security_identifier resource * Address rubocop violations * Improve security_identifier from PR feedback * Update security_identifier tests * Improve security_identifier unit tests * Fix unit tests fpr security_identifier resource * More security_identifier unit tests * Add docs page for security_identifier resource * Fix issues with documentation * Improve docs Link to Microsoft reference page, and use their term 'trustee' instead of 'entity' where applicable. * Change exists to exist * Test appveyor file changes. Signed-off-by: Jared Quick <jquick@chef.io> 2018-10-19 13:01:00 +00:00
			`### Verify that the Admnistrator user has a SID`

			`describe security_identifier(user: 'Administrator') do`
			`it { should exist }`
			`end`

			`### Verify that a SID is the expected value`

			`describe security_identifier(group: 'Everyone') do`
			`its('sid') { should eq 'S-1-1-0' }`
			`end`

			`### Use in conjunction with the security_policy resource to specify the trustee to test for in the audit policy`

			`describe security_policy do`
			`its("SeRemoteInteractiveLogonRight") { should_not include security_identifier(group: 'Guests') }`
			`end`

			`<br>`

			`## Properties`

			* `sid`

			`## Property Examples`

			`### sid`

			`describe security_identifier(group: 'Everyone') do`
			`its('sid') { should eq 'S-1-1-0' }`
			`end`

			`## Matchers`

Update software name from InSpec to Chef Inspec Signed-off-by: IanMadd <maddaus@protonmail.com> 2019-04-26 18:24:29 +00:00			`This Chef InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).`
New resource to work with Windows security identifiers (SIDs) (#3405) * Resource for a Windows Security Identifier (SID) * Integration tests for security_identifier resource * Address rubocop violations * Improve security_identifier from PR feedback * Update security_identifier tests * Improve security_identifier unit tests * Fix unit tests fpr security_identifier resource * More security_identifier unit tests * Add docs page for security_identifier resource * Fix issues with documentation * Improve docs Link to Microsoft reference page, and use their term 'trustee' instead of 'entity' where applicable. * Change exists to exist * Test appveyor file changes. Signed-off-by: Jared Quick <jquick@chef.io> 2018-10-19 13:01:00 +00:00
			`### exist`

			For this resource, `exist` is true if a Security Identifier (SID) exists on the target host for the specified trustee.