cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
lucask
Level 3

how to set "deny" rights to a folder in Lock Permission table?

Hi.

I need to set Write "DENY" rights to a folder in my package. It has to be set to "DENY", setting somnething like "read only" is not an option. Is there some value I can set in Lock Permission to get such rights?

BR, Lucas.
Labels (1)
0 Kudos
(5) Replies
Tetsuo
Level 4

I don't think there is any deny option. A standard Lockpermissions table will only give you use of a combination of Read / Write / Execute permissions.

Not exactly sure what you are trying to achieve, but you could set full permissions for a given folder to only the System account, which would pretty much deny access to this folder for everyone else..?

i.e:
LockObject - Table - Domain - User - Permission
INSTALLDIR - CeateFolder - (Null) - SYSTEM - 268435456
0 Kudos
DebbieL
Level 17

There are several other ways to deny specific permissions: custom InstallShield handling method, the MsiLockPermissionsEx method, and the InstallScript function SetObjectPermissions. For a comparison of each method, see Securing Files, Folders, Registry Keys, and Windows Services in a Locked-Down Environment.

The bottom of that help topic has links that point to help topics on how to use each of those methods.
0 Kudos
lucask
Level 3

Well editing ISM file, if I choose in "General Information" tab the "Locked-down Permissions" to "Custom InstallShield" I do have an "deny" option (checkbox) while setting permissions in "Files and Folders" tab. And than I can see in ISLock Permissions that Attribute column is shown next to Permission column. Checking "deny" option sets Attribute to 1, instead of default 0. All looks good so far, but the permissions after installing package are MERGED with inherit permissions, instead of being replaced, how can I change that?

Effect is that on this folder I've got all permissions inherit from folder above, plus permissions set in ISLock Permissions, instead of ISLock Permissions only.

Isn't there just a value I could set in Lock Permissions to deny write for a group?
0 Kudos
DebbieL
Level 17

Ah. Well, the LockPermissions table doesn't have support for denying permissions. The ISLockPermissions table (the custom InstallShield method of configuring permissions) does have support for denying permissions; however, it doesn't have support for turning off inheritable permissions from the object's parent.

I believe that the MsiLockPermissionsEx table (the new Windows Installer handling method) does have support for both denying permissions and turning off inheritable permissions from the object's parent. So, maybe you could consider using this method. Note that this method requires a minimum of Windows Installer 5 on the target system. So, if your installation needs to support Windows Vista or earier, this method will not work. Also note that a project cannot use both the MsiLockPermissionsEx table and the LockPermissions table.
0 Kudos
lucask
Level 3

Hi, thanks for your explanation. I'm affraid WI 4.5 is still in use in that company, cause they still support XP. I'll try to do it using SetACL.

BR, Lucas.
0 Kudos