Adding New Security Rule to Hosting Security Metadata File Template

A security rule is an access permission for a Windows user account or group that will be added to a Windows object once the rule is applied to it. A single rule may be applied to more than one object depending on the attribute values specified. To add a security rule, you need to create an Entry element in a security metadata file template and include in it the necessary information by using the available declaration options for the element's attributes. For detailed description of the attributes and information about values that can be assigned to the attributes, see General Security Metadata Structure.

To add a security rule:

  1. Identify the Windows object for which you want to create a security rule.

    The example used here assumes that you want to add a security rule for the error_docs folder located in the domain root directory.

  2. Identify the Windows object to which the rule will be applied by specifying the Path and, if applicable, the SubPath attribute in the new Entry element.

    Consult General Security Metadata Structure for applicable declaration options.

    For example,

    <Entry AccounType="" Account="" Path="[HTTPD_VHOSTS_D]" SubPath="error_docs" AceFlags="" AccessMask="" EntryFlags="" Tag="" Tag2="" />

  3. Specify the Windows user account to which you want to assign the security rule.

    For example, to specify a domain FTP user account, make the following declarations:

    <Entry AccounType="0" Account="Null" Path="" SubPath="" AceFlags="" AccessMask="" EntryFlags="" Tag="DomainUser" Tag2="" />

    Note: The name Null will be replaced by an actual domain FTP user account name in metadata security files instantiated from the the template file. You can also include a SidStr attribute if a SID for a particular Windows account is known. For more information about the SidStr attribute, see General Security Metadata Structure.

  4. Define the type of the rule (Allow or Deny, just like you would for an ACE) and how the rule is to be propagated to child objects by specifying the EntryFlags element.

    For help in completing this step, see Possible EntryFlags Attribute Values. For example, to enable application of the security rule only to files contained in the specified error_docs folder, but not to the folder itself you need to use the 0x80 flag. The rule is set to the Allow type by default (the 0x0 flag) unless the 0x1 flag (Deny) is included.

    <Entry AccounType="" Account="" Path="" SubPath="error_docs\*.*" AceFlags="" AccessMask="" EntryFlags="0x80" Tag="" Tag2="" />

    Note: When you use the 0x80 flag, a file mask must be included in the Path or SubPath attribute, whichever is applicable. In this example the *.* mask must be used. You can use other entry flags to further fine-tune the application of the rule to Windows objects.

  5. Set the permissions for the user account on Windows objects to which the rule will be applied by specifying the AccessMask attribute.

    For help in completing this step, see Possible AccessMask Attribute Values.

    For example, to grant the Read and Write permissions for the Windows user account, specify ReadWrite:

    <Entry AccounType="" Account="" Path="" SubPath="" AceFlags="" AccessMask="ReadWrite" EntryFlags="" Tag="" Tag2="" />

  6. Define if ACEs must be created for the Windows object and its child objects based on this security rule by specifying the AceFlags attribute.

    For help in completing this step, see Possible AceFlags Attribute Values. For example, to create ACEs only for the error_docs folder and all files contained within that folder use AceFlags="FilesOnly".

This is the resulting security rule entry:

<Entry AccounType="0" Account="Null" Path="[HTTPD_VHOSTS_D]" SubPath="error_docs\*.*" AceFlags="FilesOnly" AccessMask="ReadWrite" EntryFlags="0x80" Tag="DomainUser" Tag2="" />
Rule Description

Because the name Null is a standard system account name, it does not have to be resolved in the system (hence, AccounType="0").(The name Null will be replaced by an actual domain FTP user account name in metadata security files instantiated from the the template file). The optional Domain and SidStr attributes do not need to be defined for the same reason. The HTTPD_VHOSTS_D component path in the Path attribute specifies the path to the domain root folder where the error_docs folder is located. The SubPath attribute sets the mask for all files in the error_docs folder to which the rule will be applied. AceFlags="FilesOnly" specifies that, according to this rule, an ACE with permission defined by AccessMask="ReadWrite" will be created only for the error_docs folder and all files contained within that folder. However, EntryFlags="0x80" further restricts the ACE creation only to the files within the folder, excluding the error_docs folder from this rule. Tag="DomainUser" designates the security rule as pertaining to a domain hosting account and is used by Plesk to properly organize the processing of security metadata.

Note: When entry flag 0x80 is included in a security rule entry, the path to the objects defined by the Path and SubPath attributes must include a file mask. This example uses file mask *.*.

 

Leave your comments on this page

Leave your feedback or question on this documentation topic below. For technical assistance, contact your hosting service provider or submit a request to Plesk support. Suggest new features for Plesk here. Discuss general questions on the Plesk forum. All offtopic comments will be removed.