A security rule is an access permission for a Windows user account or group that will be added to a Windows object once the rule is applied to it. A single rule may be applied to more than one object depending on the attribute values specified. To add a security rule, you need to create an
Entry element in a security metadata file template and include in it the necessary information by using the available declaration options for the element's attributes. For detailed description of the attributes and information about values that can be assigned to the attributes, see General Security Metadata Structure.
To add a security rule:
- Identify the Windows object for which you want to create a security rule.
The example used here assumes that you want to add a security rule for the
error_docsfolder located in the domain root directory.
- Identify the Windows object to which the rule will be applied by specifying the
Pathand, if applicable, the
SubPathattribute in the new
Consult General Security Metadata Structure for applicable declaration options.
<Entry AccounType="" Account="" Path="[HTTPD_VHOSTS_D]
" AceFlags="" AccessMask="" EntryFlags="" Tag="" Tag2="" />
- Specify the Windows user account to which you want to assign the security rule.
For example, to specify a domain FTP user account, make the following declarations:
" Path="" SubPath="" AceFlags="" AccessMask="" EntryFlags="" Tag="DomainUser
" Tag2="" />
Note: The name
Nullwill be replaced by an actual domain FTP user account name in metadata security files instantiated from the the template file. You can also include a
SidStrattribute if a SID for a particular Windows account is known. For more information about the
SidStrattribute, see General Security Metadata Structure.
- Define the type of the rule (
Deny, just like you would for an ACE) and how the rule is to be propagated to child objects by specifying the
For help in completing this step, see Possible EntryFlags Attribute Values. For example, to enable application of the security rule only to files contained in the specified
error_docsfolder, but not to the folder itself you need to use the
0x80flag. The rule is set to the
Allowtype by default (the
0x0flag) unless the
Deny) is included.
<Entry AccounType="" Account="" Path="" SubPath="error_docs\*.*
" AceFlags="" AccessMask="" EntryFlags="0x80
" Tag="" Tag2="" />
Note: When you use the
0x80flag, a file mask must be included in the
SubPathattribute, whichever is applicable. In this example the *.* mask must be used. You can use other entry flags to further fine-tune the application of the rule to Windows objects.
- Set the permissions for the user account on Windows objects to which the rule will be applied by specifying the
For help in completing this step, see Possible AccessMask Attribute Values.
For example, to grant the Read and Write permissions for the Windows user account, specify
<Entry AccounType="" Account="" Path="" SubPath="" AceFlags="" AccessMask="ReadWrite
" EntryFlags="" Tag="" Tag2="" />
- Define if ACEs must be created for the Windows object and its child objects based on this security rule by specifying the
For help in completing this step, see Possible AceFlags Attribute Values. For example, to create ACEs only for the
error_docsfolder and all files contained within that folder use
This is the resulting security rule entry:
Because the name
Null is a standard system account name, it does not have to be resolved in the system (hence,
Null will be replaced by an actual domain FTP user account name in metadata security files instantiated from the the template file). The optional
SidStr attributes do not need to be defined for the same reason. The
HTTPD_VHOSTS_D component path in the
Path attribute specifies the path to the domain root folder where the
error_docs folder is located. The
SubPath attribute sets the mask for all files in the
error_docs folder to which the rule will be applied.
AceFlags="FilesOnly" specifies that, according to this rule, an ACE with permission defined by
AccessMask="ReadWrite" will be created only for the
error_docs folder and all files contained within that folder. However,
EntryFlags="0x80" further restricts the ACE creation only to the files within the folder, excluding the
error_docs folder from this rule.
Tag="DomainUser" designates the security rule as pertaining to a domain hosting account and is used by Plesk to properly organize the processing of security metadata.
Note: When entry flag
0x80 is included in a security rule entry, the path to the objects defined by the
SubPath attributes must include a file mask. This example uses file mask