Plesk

General Security Metadata Structure

  • Dmitry Bystrov

    • A security metadata template or file contains security rule entries
    for Windows objects. Each such entry consist of a single Entry
    element that has multiple attributes specifying a security rule and the
    identity of one or more Windows objects to which the rule applies. In
    addition, each Entry element declares entry flags specifying how
    existing DACL security settings associated with Windows objects and
    Plesk security rules are combined and inherited by Windows objects. The
    element can also have optional tags that are used by Plesk to organize
    processing of security metadata.

    Plesk follows Windows security processing rules when translating the
    security rule entries stored in the metadata files into ACEs.

    The following security rule entry definition format is adopted for the
    files:

    <Entry AccounType=”” Account=”” Path=”” AceFlags=”” AccessMask=””
    EntryFlags=”” Tag=”” Tag2=”” />

    When applying security rules listed in the metadata files to Windows
    objects, Plesk can write, modify, or erase existing ACEs in object
    DACLs, depending on what entry tags are specified by the corresponding
    Entry element.

    The following table describes the attributes that are used in the
    Entry element and provides mappings to DACL’s ACEs components where
    applicable.

    Attributes and Their Mapping to ACE Components

    Attribute ACE component Required Comment
    Account Name (the user part) Yes Symbolic Windows user account name for which the security rule
    is created.
    Domain Name (the domain part) No Symbolic Windows domain name to which the Windows user account
    belongs.
    SidStr Name’s SID No Windows user account SID corresponding to the Windows user
    account name specified by the Account attribute.
    AceFlags Apply to flags Yes ACE control flag symbolic name or actual flag bits setting ACE
    inheritance rules that are applied to ACEs in object DACLs. See
    also Possible AceFlags Attribute Values.
    AccessMask Permission Yes Access mask that defines specific permissions for ACEs created
    from the security rule. See also Possible AccessMask
    Values    .
    EntryFlags Type Yes ACE type and other flags that define rules for combining DACL
    security settings with the security rule defined by the Entry
    element. Several flags can be combined together. See also
    Possible EntryFlags Attribute Values.
    AccounType none Yes

    Windows user account type. This attribute specifies if the
    account has a well-known SID (AccountType=0) or must be
    resolved in the system (AccountType=1) by using the
    symbolic name specified by the Account attribute.
    Path none Yes A Plesk component path or environment variable that sets a
    standard path for hosted objects. See also Possible Path
    Attribute Values    .
    SubPath none No Remaining part of the object path if the path is not fully
    defined by the Path attribute.
    Tag none Yes The Tag attributes are used by Plesk for processing the
    security rules defined in a security metadata template file.
    The tag attributes are required for security metadata
    templates, but are optional for the security metadata file
    .Security. See also Possible Tag Attribute
    Values    .
    Tag2 none No  
    Tweet
    Share
    Share
    Email
    0 Shares
    Exit mobile version