2010/01/04

Handling Access Control List on Windows With BitRock InstallBuilder

Access Control List (ACL) is the way in which Windows manages permissions on NTFS file systems.

There are several command line tools on Windows for handling this: cacls, xcals, icacls. Unfortunately, these tools are not always present in a default Windows installation and depending on the Windows version, different tools may be required.

BitRock InstallBuilder now provides you with <setWindowsACL> built-in actions. This powerful action for managing permissions allows you to modify ACL on Windows. It is based in the icacls windows tool (http://technet.microsoft.com/en-us/library/cc753525(WS.10).aspx).

You can define the files you want to apply the permissions to. It allows you to specify if you want to "allow" or "deny" access. You can also match a list of users for which the permissions will be applied, and to specify any of the allowed permissions types.

You can define the users either using names or SIDs. Please take into account that special users, like "Everyone" are localized so it is a good practice to use SIDs instead for these users. You can find a list of the well known SIDs in this article:

http://support.microsoft.com/kb/243330

The most common file permissions are also detailed below:

http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx


http://support.microsoft.com/kb/243330

Note that ACL are only supported on NFTS file systems.

Example 1 - Basic:

The following example will allow all users in the system to read, write and execute the files that match the pattern in <files>. For the directories that match that pattern, the users will be allowed to read the content and write new content in that directory.
<setWindowsACL>
<user>Everyone</users> 
<permissions>file_read_data file_write_data file_execute</permissions>
<files>c:\myfolder\*;c:\myfolder\*\*;c:\myfolder\*\*\*</files>
<action>allow</action>
</setWindowsACL>

Example 2 – Inheritance:

It is also possible to define the inheritance level:
<setWindowsACL>
     <action>deny</action>
     <files>c:\some\folder</files>
     <permissions>file_read_data</permissions>
     <recurseContainers>0</recurseContainers>
     <recurseObjects>0</recurseObjects>
     <recurseOneLevelOnly>0</recurseOneLevelOnly>
     <self>1</self>
     <users>Everyone</users>
</setWindowsACL>

  • <self> : determines if the objects specified in the <files> tag will be modified or just their children, if the recursion tags are enabled.
  • <recurseOneLevelOnly> : Only applies inheritance to the first level of hierarchy if one of the below are enabled.
  • <recurseObjects> : Applies inheritance to objects (files).
  • <recurseContainers> : Applies inheritance to containers (folders).


Example 3 – Using InstallBuilder GUI:

Of course this action is also available from the InstallBuilder GUI.



2 comments:

brett said...

The URL to the standard ACLs is incorrect.

Try this page instead.
http://support.microsoft.com/kb/243330

BitRock Team said...

Article updated, thanks Brett