General Security Metadata Structure

A security metadata template or file contains security rule entries for Windows objects. Each such entry consist of a single Entry element that has multiple attributes specifying a security rule and the identity of one or more Windows objects to which the rule applies. In addition, each Entry element declares entry flags specifying how existing DACL security settings associated with Windows objects and Plesk security rules are combined and inherited by Windows objects. The element can also have optional tags that are used by Plesk to organize processing of security metadata.

Plesk follows Windows security processing rules when translating the security rule entries stored in the metadata files into ACEs.

The following security rule entry definition format is adopted for the files:

<Entry AccounType="" Account="" Path="" AceFlags="" AccessMask="" EntryFlags="" Tag="" Tag2="" />

When applying security rules listed in the metadata files to Windows objects, Plesk can write, modify, or erase existing ACEs in object DACLs, depending on what entry tags are specified by the corresponding Entry element.

The following table describes the attributes that are used in the Entry element and provides mappings to DACL's ACEs components where applicable.

Attributes and Their Mapping to ACE Components

Attribute ACE component Required Comment

Account

Name (the user part)

Yes

Symbolic Windows user account name for which the security rule is created.

Domain

Name (the domain part)

No

Symbolic Windows domain name to which the Windows user account belongs.

SidStr

Name's SID

No

Windows user account SID corresponding to the Windows user account name specified by the Account attribute.

AceFlags

Apply to flags

Yes

ACE control flag symbolic name or actual flag bits setting ACE inheritance rules that are applied to ACEs in object DACLs. See also Possible AceFlags Attribute Values.

AccessMask

Permission

Yes

Access mask that defines specific permissions for ACEs created from the security rule. See also Possible AccessMask Values.

EntryFlags

Type

Yes

ACE type and other flags that define rules for combining DACL security settings with the security rule defined by the Entry element. Several flags can be combined together. See also Possible EntryFlags Attribute Values.

AccounType

none

Yes

Windows user account type. This attribute specifies if the account has a well-known SID (AccountType=0) or must be resolved in the system (AccountType=1) by using the symbolic name specified by the Account attribute.

Path

none

Yes

A Plesk component path or environment variable that sets a standard path for hosted objects. See also Possible Path Attribute Values.

SubPath

none

No

Remaining part of the object path if the path is not fully defined by the Path attribute.

Tag

none

Yes

The Tag attributes are used by Plesk for processing the security rules defined in a security metadata template file. The tag attributes are required for security metadata templates, but are optional for the security metadata file .Security. See also Possible Tag Attribute Values.

Tag2

none

No

Next in this section:

Possible AceFlags Values

Possible AccessMask Values

Possible EntryFlag Attribute Values

Possible Path Attribute Values

Possible Tag Attribute Values

 

Leave your feedback on this topic here

If you have questions or need support, please visit the Plesk forum or contact your hosting provider.
The comments below are for feedback on the documentation only. No timely answers or help will be provided.