Prohibiting Container Deletion When Deletion of its Parent Container Contents Is Allowed
The following two security rules set different sets of access rights for
a parent object (in this example, the picture_library
folder on
domain example.com
) and its child objects - subfolders and files
contained in the folder. The resulting security configuration will
prohibit deletion of the parent container by a website owner, but will
allow the user full control for files and folders contained in the
picture_library
folder.
Security rule entry 1
The following rule sets access rights to files in the
httpdocs\picture_library
folder on domain example.com
for the
Windows user account named domainuser1
, prohibiting deletion of the
folder.
<Entry AccounType="1" Account="domainuser1" SidStr="S-1-5-21-821798554-1223697094-3523996037-1043" Path="[HTTPD_VHOSTS_D]" SubPath="example.com\httpdocs\picture_library" AceFlags="ThisObjectOnly" AccessMask="FileRemovable" EntryFlags="0x141" Tag="DomainUser" Tag2="" />
Explanation
Because the name domainuser1 is not a standard system account name, it has to be resolved in the system (hence, AccounType=”1”). The optional SidStr attribute is defined to improve Plesk stability. The HTTPD_VHOSTS_D component path in the Path attribute specifies the common part of the path to the domain root folder where the example.com folder is located. The SubPath attribute completes the path to the httpdocspicture_library folder to which the rule will be applied. AceFlags=”ThisObjectOnly” specifies that, according to this rule, an ACE with permission defined by AccessMask=”FileRemovable” will be created and added only to the httpdocspicture_library folder on domain example.com. EntryFlags=”0x141” enables (i) creation of the folder (which is necessary during domain creation), (ii) strict enforcement of the access permissions defined by the AccessMask=”FileRemovable” permission mask, and (iii) sets the ACE type to Deny Access. Tag=”DomainUser” designates the security rule as pertaining to a domain hosting account and is used by Plesk to properly organize the processing of security metadata.
Security rule entry 2
The rule sets full control rights to the httpdocs\picture_library
folder, its subfolders and files on domain example.com
for the
Windows user account named domainuser1
.
<Entry AccounType="1" Account="domainuser1" SidStr="S-1-5-21-821798554-1223697094-3523996037-1043" Path="[HTTPD_VHOSTS_D]" SubPath="example.com\httpdocs\picture_library" AceFlags="ThisFolderSubfoldersAndFiles" AccessMask="FullAccess" EntryFlags="0x140" Tag="DomainUser" Tag2="" />
Explanation
As the name domainuser1
is not a standard system account name, it
has to be resolved in the system (hence, AccounType="1"
). The
optional SidStr
attribute is defined to improve Plesk stability. The
HTTPD_VHOSTS_D
component path in the Path
attribute specifies
the common part of the path to the domain root folder where the
example.com
folder is located. The SubPath
attribute completes
the path to the httpdocs\picture_library
folder to which the rule
will be applied. AceFlags="ThisFolderSubfoldersAndFiles"
specifies
that, according to this rule, an ACE with permission defined by
AccessMask="FullAccess"
will be created and added to the
httpdocs\picture_library
folder and all of its subfolders and files
on domain example.com
. EntryFlags="0x140"
enables (i) creation
of the folder (which is necessary during domain creation) and (ii)
strict enforcement of the access permissions defined by the
AccessMask="FullAccess"
permission mask. Tag="DomainUser"
designates the security rule as pertaining to a domain hosting account
and is used by Plesk to properly organize the processing of security
metadata.