For this example we assume that the system is part of the Windows domain called MyDomain. TrustedDomain is assumed to be a trusted domain of MyDomain.
Used accounts that have to be created first include:
MyDomain\MyProductUsers
MyDomain\MyRestrictedUsers
TrustedDomain\Unwanted
Files and directories to be created include:
$(SxpRootDir1)\bin\ReadMe.txt $(SxpRootDir1)\bin\NOTEPAD.EXE $(SxpRootDir1)\MyLogfile.log $(SxpRootDir1)\withoutextension
Registry keys and values to be created include:
[HKEY_LOCAL_MACHINE\Software\MyCompany] [HKEY_LOCAL_MACHINE\Software\MyCompany\MyProduct] "Entry"="any" [HKEY_LOCAL_MACHINE\Software\MyCompany\MyProduct\MySubkey] "SubkeyEntry"=dword:00000000
Step 1: Replace the current access control list:
Grant full access for members of the local Administrators group on the root directory of the product, all its subdirectories and files. Grant read, write, and execute access for all members of the MyProductUsers group.
Note that all other permissions are removed.
#Permis1# Type=RDir FileMask=*.* Object=$(SxpRootDir1) AddToACL=yes Aace1=\Administrators,10000000 Aace2=MyDomain\MyProductUsers,E0000000
Step 2: Add to the current access control list
Grant read and execute permission on the $(SxpRootDir1)\bin directory and all its executables for everyone, except the members of the MyDomain\MyRestrictedUsers group and the TrustedDomain\Unwanted user.
Note that deny entries takes priority over allow entries.
#Permis2# Type=Dir Object=$(SxpRootDir1)\bin FileMask=*.exe AddToACL=yes Aace1=\Everyone,A0000000 Dace1=MyDomain\MyRestrictedUsers Dace2=TrustedDomain\Unwanted
Step 3: Add to the current access control list
Grant full access for everyone on the $(SxpRootDir1)\MyLogfile.log file. Deny access for the TrustedDomain\Unwanted user.
#Permis3# Type=File Object=$(SxpRootDir1)\MyLogfile.log AddToACL=yes Aace1=\Everyone,10000000 Dace1=TrustedDomain\Unwanted
Step 4: Replace the current access control list
Grant full access for members of the local Administrators group and the local system account on the HKEY_LOCAL_MACHINE\Software\MyCompany\MyProduct registry key and all its subkeys.
Note that all other permissions are removed.
#Permis4# Type=RKey Object=HKEY_LOCAL_MACHINE\MyCompany\MyProduct Aace1=\Administrators,10000000 Aace2=\Local System\,10000000
Step 5: Add to the current access control list
Grant read and write access for members of the Windows domain users group of the primary domain (MyDomain) and for the domain users group of the trusted domain (TrustedDomain) on the HKEY_LOCAL_MACHINE\Software\MyCompany\MyProduct\MySubkey registry key. Deny access for the TrustedDomain\Unwanted user.
A Windows domain-related predefined account, like domain users, can be used only with the primary domain. For example, it is not possible to set permissions for the global group of domain users of TrustedDomain by using the predefined account. However, you can use the localized name, TrustedDomain\domain users, instead.
#Permis5# Type=Key Object=HKEY_LOCAL_MACHINE\MyCompany\MyProduct\MySubkey AddToACL=yes Aace1=\MyDomain\Domain Users,C0000000 Aace2=TrustedDomain\Domain Users,C0000000 Dace1=TrustedDomain\Unwanted
| Copyright © 2014 CA Technologies. All rights reserved. |
|