Click here to Skip to main content
Click here to Skip to main content

Tagged as

Setting Directory ACLs To Mimic Standard Windows Permissions

, 19 Feb 2013
Rate this:
Please Sign up or sign in to vote.
I wrote a post yesterday about ACLs for File and Directory Access because I needed a way to set the permissions for a user to Modify that mimicked the way Windows set permissions.  
I wrote a post yesterday about ACLs for File and Directory Access because I needed a way to set the permissions for a user to Modify that mimicked the way Windows set permissions.  I found that I needed to expand the settings to allow for more permission types.

I decided on these permission types for the directory to come as close to the way Windows handles permissions when you click on a one of the options for a directory's security properties.
Friend Enum DirectoryPermission
  Full
  Modify
  AllExceptModifyAndFull
  ReadAndExecute
  ListContents
  Read
  Write
  None
End Enum

None in the above list doesn't remove the security rule, but sets it to no available permissions.  The rest of the options in the enumeration should be self-explanatory.

Private Sub SetDirectoryPermissions(ByVal Directory As String, ByVal Permissions As DirectoryPermission, Optional ByVal Domain As String = Nothing, Optional ByVal User As String = Nothing)
  ' Get the ACL for the directory just created
  Dim oACL As Security.AccessControl.DirectorySecurity = IO.Directory.GetAccessControl(Directory, Security.AccessControl.AccessControlSections.Access)

  Dim oUserSid As Security.Principal.SecurityIdentifier
  If Not IsNothing(Domain) AndAlso Not IsNothing(User) Then
    oUserSid = New Security.Principal.NTAccount(Domain, User).Translate(GetType(Security.Principal.SecurityIdentifier))
  ElseIf Not IsNothing(User) Then
    oUserSid = New Security.Principal.NTAccount(User).Translate(GetType(Security.Principal.SecurityIdentifier))
  Else
    ' Create a security Identifier for the BUILTIN\Users group to be passed to the new access rule
    oUserSid = New Security.Principal.SecurityIdentifier(Security.Principal.WellKnownSidType.BuiltinUsersSid, Nothing)
  End If

  Dim lRights As Long
  Dim lInheritance As Long
  Select Case Permissions
    Case DirectoryPermission.Full
      lRights = Security.AccessControl.FileSystemRights.FullControl
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.Modify
      lRights = Security.AccessControl.FileSystemRights.Modify Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.ReadAndExecute
      lRights = Security.AccessControl.FileSystemRights.ReadAndExecute Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.AllExceptModifyAndFull
      lRights = Security.AccessControl.FileSystemRights.Write Or Security.AccessControl.FileSystemRights.ReadAndExecute Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.ListContents
      lRights = Security.AccessControl.FileSystemRights.ReadAndExecute Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit
    Case DirectoryPermission.Read
      lRights = Security.AccessControl.FileSystemRights.Read Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.Write
      lRights = Security.AccessControl.FileSystemRights.Write Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case Else
      ' No rights
      lRights = 0
      lInheritance = 0
  End Select

  ' Create the rule that needs to be added to the ACL
  Dim oRule As New Security.AccessControl.FileSystemAccessRule(oUserSid,
                                                               lRights,
                                                               lInheritance,
                                                               Security.AccessControl.PropagationFlags.None,
                                                               Security.AccessControl.AccessControlType.Allow)

  ' Add the new rule to our ACL
  oACL.AddAccessRule(oRule)

  ' Update the directory to include the new rules created
  System.IO.Directory.SetAccessControl(Directory, oACL)
End Sub

A couple of things had to be added to the code: Allow the routine to specify a user name and optional domain name to whom to apply the permission; Convert the Security.Principal.NTAccount into a Security.Principal.SecurityIdentifier.  I also found that the Security.AccessControl.InheritanceFlags made a difference in which permissions could be set without seeing Special Permissions also being checked.

I still have more I can do to this routine, including setting the Deny versions of the DirectoryPermission  Please let me know what you think.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Adam Zuckerman
Software Developer (Senior)
United States United States
Long time software engineer who rambles occasionally about coding, best practices, and other random things.
Follow on   Twitter   Google+

Comments and Discussions

 
-- There are no messages in this forum --
| Advertise | Privacy | Mobile
Web04 | 2.8.140827.1 | Last Updated 19 Feb 2013
Article Copyright 2013 by Adam Zuckerman
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid