This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- how to set "deny" rights to a folder in Lock Permission table?
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 17, 2012
05:47 AM
how to set "deny" rights to a folder in Lock Permission table?
Hi.
I need to set Write "DENY" rights to a folder in my package. It has to be set to "DENY", setting somnething like "read only" is not an option. Is there some value I can set in Lock Permission to get such rights?
BR, Lucas.
I need to set Write "DENY" rights to a folder in my package. It has to be set to "DENY", setting somnething like "read only" is not an option. Is there some value I can set in Lock Permission to get such rights?
BR, Lucas.
(5) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 17, 2012
07:06 AM
I don't think there is any deny option. A standard Lockpermissions table will only give you use of a combination of Read / Write / Execute permissions.
Not exactly sure what you are trying to achieve, but you could set full permissions for a given folder to only the System account, which would pretty much deny access to this folder for everyone else..?
i.e:
LockObject - Table - Domain - User - Permission
INSTALLDIR - CeateFolder - (Null) - SYSTEM - 268435456
Not exactly sure what you are trying to achieve, but you could set full permissions for a given folder to only the System account, which would pretty much deny access to this folder for everyone else..?
i.e:
LockObject - Table - Domain - User - Permission
INSTALLDIR - CeateFolder - (Null) - SYSTEM - 268435456
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 17, 2012
08:28 AM
There are several other ways to deny specific permissions: custom InstallShield handling method, the MsiLockPermissionsEx method, and the InstallScript function SetObjectPermissions. For a comparison of each method, see Securing Files, Folders, Registry Keys, and Windows Services in a Locked-Down Environment.
The bottom of that help topic has links that point to help topics on how to use each of those methods.
The bottom of that help topic has links that point to help topics on how to use each of those methods.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 17, 2012
09:25 AM
Well editing ISM file, if I choose in "General Information" tab the "Locked-down Permissions" to "Custom InstallShield" I do have an "deny" option (checkbox) while setting permissions in "Files and Folders" tab. And than I can see in ISLock Permissions that Attribute column is shown next to Permission column. Checking "deny" option sets Attribute to 1, instead of default 0. All looks good so far, but the permissions after installing package are MERGED with inherit permissions, instead of being replaced, how can I change that?
Effect is that on this folder I've got all permissions inherit from folder above, plus permissions set in ISLock Permissions, instead of ISLock Permissions only.
Isn't there just a value I could set in Lock Permissions to deny write for a group?
Effect is that on this folder I've got all permissions inherit from folder above, plus permissions set in ISLock Permissions, instead of ISLock Permissions only.
Isn't there just a value I could set in Lock Permissions to deny write for a group?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 17, 2012
03:42 PM
Ah. Well, the LockPermissions table doesn't have support for denying permissions. The ISLockPermissions table (the custom InstallShield method of configuring permissions) does have support for denying permissions; however, it doesn't have support for turning off inheritable permissions from the object's parent.
I believe that the MsiLockPermissionsEx table (the new Windows Installer handling method) does have support for both denying permissions and turning off inheritable permissions from the object's parent. So, maybe you could consider using this method. Note that this method requires a minimum of Windows Installer 5 on the target system. So, if your installation needs to support Windows Vista or earier, this method will not work. Also note that a project cannot use both the MsiLockPermissionsEx table and the LockPermissions table.
I believe that the MsiLockPermissionsEx table (the new Windows Installer handling method) does have support for both denying permissions and turning off inheritable permissions from the object's parent. So, maybe you could consider using this method. Note that this method requires a minimum of Windows Installer 5 on the target system. So, if your installation needs to support Windows Vista or earier, this method will not work. Also note that a project cannot use both the MsiLockPermissionsEx table and the LockPermissions table.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 18, 2012
03:08 AM
Hi, thanks for your explanation. I'm affraid WI 4.5 is still in use in that company, cause they still support XP. I'll try to do it using SetACL.
BR, Lucas.
BR, Lucas.