The Masks field is a tricky but powerful way to describe permissions.

It is actually able to do anything, but the who-can fields in the interface are much easier to use, so you should try to use the latter whenever possible and recur to masks only when necessary. The who-can fields are quite easy to understand, trickier cases are the ones that require the use of masks.

To use it effectively you should know the syntax used internally by the VFS. You can read it about it here.

This field maps one or multiple file-masks to a set of properties. In this example we set permission for a single file:

myfile.txt:
  can_see: false
  can_read: false

If you want your rule to target multiple files, you can use wildcards.

Rules on top have priority over bottom rules. Inner rules have priority over parent's rules. A mask can carry any node property, even property "masks".

If the mask ends with |files|, then it will match only files and not folders. You can get the opposite effect with suffix |folders|.

"folder1/folder2|folder3/folder4/*.mp3": 
  can_see: false

Select the folder and enter these rules in the Masks field

"*.zip":
  can_read: false

"**/*.mp3":
  can_read: false
"*.dat": 
  mime: application/something

Select the folder and enter these rules in the Masks field

"**.zip":
  can_read: false

** is like * but applies to subfolders too.

Select the folder and enter these rules in the Masks field

"*.zip":
  can_read: true
"*":
  can_read: false