As an administrator it may be the case that you need to know about the underlying schema of the configuration files. Check the table below for cases in which full or partial knowledge of the schema is necessary to complete certain administrative tasks:
Adminstrative Task | Knowledge of schema required |
---|---|
Changing, adding permission sets using CASPol | You should know the permission schema (what goes between <Permission..> tags), and the Permission set schema (what goes between the <PermissionSet..> tags) |
Manually editing security configuration files | You should know the complete configuration schema as described here |
All other security related administrative tasks (using CASPol) | No knowledge of the schema is required, but could be helpful when reading the output of the policy analysis and list options. Use this chapter as a reference when output involving permissions seems unclear. |
When the user or machine policy is changed using CASPol the policy configuration is persisted in a security.cfg file. This file is in XML format and represents the serialization of a security policy.
In this section the different element types (<elementtype>),their attributes and values, and the way the elements need to be arranged in order to express a permission, permission set, code group, policy and finally configuration file will be introduced. The security configuration schema will be presented from the bottom up, starting with the most atomic part: permissions.
Important Note on notation. Symbols in bold are part of the meta-language (describing the syntax of the schema):
| means inclusive or (expressions part of a | clause can be combined in full or in subsets) v means exclusive or, differentiating expressions that cannot appear together,
* means multiple instances of that expression are allowed,
[] contains a description of a of value to be inserted at that spot.
An expression marked with % is optional
There is no particular order in which tag elements at the same hierarchy level must appear. For instance, instead of
< > <Read>..</Read> <Write>..</Write> < > < > <Write>..</Write> <Read>..</Read> <..>
would work also.