Adding New Security Rule to Hosting Security Metadata File Template
A security rule is an access permission for a Windows user account or
group that will be added to a Windows object once the rule is applied to
it. A single rule may be applied to more than one object depending on
the attribute values specified. To add a security rule, you need to
create an Entry
element in a security metadata file template and
include in it the necessary information by using the available
declaration options for the element’s attributes. For detailed
description of the attributes and information about values that can be
assigned to the attributes, see General Security Metadata
Structure.
To add a security rule:
-
Identify the Windows object for which you want to create a security rule.
The example used here assumes that you want to add a security rule for the
error_docs
folder located in the domain root directory. -
Identify the Windows object to which the rule will be applied by specifying the
Path
and, if applicable, theSubPath
attribute in the newEntry
element.Consult General Security Metadata Structure for applicable declaration options.
For example,
<Entry AccounType="" Account="" Path="
[HTTPD_VHOSTS_D]" SubPath="
error_docs" AceFlags="" AccessMask="" EntryFlags="" Tag="" Tag2="" />
-
Specify the Windows user account to which you want to assign the security rule.
For example, to specify a domain FTP user account, make the following declarations:
<Entry AccounType="
0" Account="
Null" Path="" SubPath="" AceFlags="" AccessMask="" EntryFlags="" Tag="
DomainUser" Tag2="" />
Note: The name
Null
will be replaced by an actual domain FTP user account name in metadata security files instantiated from the the template file. You can also include aSidStr
attribute if a SID for a particular Windows account is known. For more information about theSidStr
attribute, see General Security Metadata Structure. -
Define the type of the rule (
Allow
orDeny
, just like you would for an ACE) and how the rule is to be propagated to child objects by specifying theEntryFlags
element.For help in completing this step, see Possible EntryFlags Attribute Values. For example, to enable application of the security rule only to files contained in the specified
error_docs
folder, but not to the folder itself you need to use the0x80
flag. The rule is set to theAllow
type by default (the0x0
flag) unless the0x1
flag (Deny
) is included.<Entry AccounType="" Account="" Path="" SubPath="error_docs\
*.*" AceFlags="" AccessMask="" EntryFlags="
0x80" Tag="" Tag2="" />
Note: When you use the
0x80
flag, a file mask must be included in thePath
orSubPath
attribute, whichever is applicable. In this example the *.* mask must be used. You can use other entry flags to further fine-tune the application of the rule to Windows objects. -
Set the permissions for the user account on Windows objects to which the rule will be applied by specifying the
AccessMask
attribute.For help in completing this step, see Possible AccessMask Attribute Values.
For example, to grant the Read and Write permissions for the Windows user account, specify
ReadWrite
:<Entry AccounType="" Account="" Path="" SubPath="" AceFlags="" AccessMask="
ReadWrite" EntryFlags="" Tag="" Tag2="" />
-
Define if ACEs must be created for the Windows object and its child objects based on this security rule by specifying the
AceFlags
attribute.For help in completing this step, see Possible AceFlags Attribute Values. For example, to create ACEs only for the
error_docs
folder and all files contained within that folder useAceFlags="FilesOnly"
.
This is the resulting security rule entry:
<Entry AccounType="0" Account="Null" Path="[HTTPD_VHOSTS_D]" SubPath="error_docs\*.*" AceFlags="FilesOnly" AccessMask="ReadWrite" EntryFlags="0x80" Tag="DomainUser" Tag2="" />
Rule Description
Because the name Null
is a standard system account name, it does not
have to be resolved in the system (hence, AccounType="0"
).(The name
Null
will be replaced by an actual domain FTP user account name in
metadata security files instantiated from the the template file). The
optional Domain
and SidStr
attributes do not need to be defined
for the same reason. The HTTPD_VHOSTS_D
component path in the
Path
attribute specifies the path to the domain root folder where
the error_docs
folder is located. The SubPath
attribute sets the
mask for all files in the error_docs
folder to which the rule will
be applied. AceFlags="FilesOnly"
specifies that, according to this
rule, an ACE with permission defined by AccessMask="ReadWrite"
will
be created only for the error_docs
folder and all files contained
within that folder. However, EntryFlags="0x80"
further restricts the
ACE creation only to the files within the folder, excluding the
error_docs
folder from this rule. Tag="DomainUser"
designates
the security rule as pertaining to a domain hosting account and is used
by Plesk to properly organize the processing of security metadata.
Note: When entry flag 0x80
is included in a security rule entry, the
path to the objects defined by the Path
and SubPath
attributes must include a file mask. This example uses file mask
*.*
.