Okay. I didn't find any obvious article in MSDN, but what I did in the end was to take an MSI with the behaviour I wanted (i.e. in the LockPermissions table) and de-compile it using Dark. That got me the following WiX snippet:
<Permission User="Authenticated Users" Read="yes" ReadPermission="yes" EnumerateSubkeys="yes" Notify="yes"/> If I try this in my WiX code, it works fine - I see that the "Authenticated Users" group has the general "Read" permission set correctly. However, the above snippet is using the built-in "Permission" element and I actually want to use the WixUtilExtension "PermisssionEx" element so that I can get support for the localisation of group names such as "Authenticated Users". So in my WiX, I try the following snippet: <util:PermissionEx User="AuthenticatedUser" Read="yes" ReadPermission="yes" EnumerateSubkeys="yes" Notify="yes"/> In other words, I'm simply changing the element name but keeping all of the element attributes the same. I would have expected the end result to be the same, but it isn't. Something strange has happened to the ACLs regarding inheritance. The differences are: - If I use the standard Permission element, the ACLs on my key are exactly what I specify in the WiX file, plus full control for the System account which MSI always adds. If I use the PermissionEx element, then as well as adding my permissions, my key inherits all of the permissions from its parent (not what I want). - If I use the standard Permission element, the "Authenticated Users" group has the general "Read" permission (great). If I use PermissionEx, the "Authenticated Users" group is shown as having "Special" permission. Drilling down into the advanced view, it's clear that the permissions for "Authenticated Users" apply only to my key and not to its sub-keys. If I manually change the permissions in regedit so that they apply to "This key and subkeys" then suddenly I have the behaviour that I want, and the general permission changes from "Special" to "Read". So I have some questions: - Am I missing something with "PermissionEx"? Do I have to specify some magic attribute to make it behave in the same way (inheritance-wise) as "Permission"? - If not, is it a bug that the two end results are different with identical WiX? Or is that just the way PermissionEx works? Thanks! Mike >The PermissionEx element map directly to the ACLs that you can set on a >registry key. Check MSDN to see the right combination for "read" of a >registry key (it's probably not just "Read" but also includes "Enumerate >Subkeys" or something). > >Michael Bednarek wrote: > >> Hi all, >> >> I am using the WiX 3.0 PermissionEx element with a RegistryValue element and >> would like to give the "Authenticated Users" group the KEY_READ permission, >> i.e. I would like to be able to see the "Read" checkbox ticked when I view >> the permissions for the value in regedit. Which PermissionEx attribute >> should I use to get this particular ACL? >> >> At the moment I am using the following: >> >> <util:PermissionEx User="AuthenticatedUser" Read="yes" /> >> >> However, what I see in regedit is that the "Read" checkbox is not ticked, >> and instead the "Authenticated Users" group has a special permission called >> "Query value". Should I be using one of the other attributes? >> >> Thanks! >> >> Mike Bednarek ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
