Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions

Setting Directory ACLs To Mimic Standard Windows Permissions

By , 19 Feb 2013
 
I wrote a post yesterday about ACLs for File and Directory Access because I needed a way to set the permissions for a user to Modify that mimicked the way Windows set permissions.  I found that I needed to expand the settings to allow for more permission types.

I decided on these permission types for the directory to come as close to the way Windows handles permissions when you click on a one of the options for a directory's security properties.
Friend Enum DirectoryPermission
  Full
  Modify
  AllExceptModifyAndFull
  ReadAndExecute
  ListContents
  Read
  Write
  None
End Enum

None in the above list doesn't remove the security rule, but sets it to no available permissions.  The rest of the options in the enumeration should be self-explanatory. 

Private Sub SetDirectoryPermissions(ByVal Directory As String, ByVal Permissions As DirectoryPermission, Optional ByVal Domain As String = Nothing, Optional ByVal User As String = Nothing)
  ' Get the ACL for the directory just created
  Dim oACL As Security.AccessControl.DirectorySecurity = IO.Directory.GetAccessControl(Directory, Security.AccessControl.AccessControlSections.Access)

  Dim oUserSid As Security.Principal.SecurityIdentifier
  If Not IsNothing(Domain) AndAlso Not IsNothing(User) Then
    oUserSid = New Security.Principal.NTAccount(Domain, User).Translate(GetType(Security.Principal.SecurityIdentifier))
  ElseIf Not IsNothing(User) Then
    oUserSid = New Security.Principal.NTAccount(User).Translate(GetType(Security.Principal.SecurityIdentifier))
  Else
    ' Create a security Identifier for the BUILTIN\Users group to be passed to the new access rule
    oUserSid = New Security.Principal.SecurityIdentifier(Security.Principal.WellKnownSidType.BuiltinUsersSid, Nothing)
  End If

  Dim lRights As Long
  Dim lInheritance As Long
  Select Case Permissions
    Case DirectoryPermission.Full
      lRights = Security.AccessControl.FileSystemRights.FullControl
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.Modify
      lRights = Security.AccessControl.FileSystemRights.Modify Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.ReadAndExecute
      lRights = Security.AccessControl.FileSystemRights.ReadAndExecute Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.AllExceptModifyAndFull
      lRights = Security.AccessControl.FileSystemRights.Write Or Security.AccessControl.FileSystemRights.ReadAndExecute Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.ListContents
      lRights = Security.AccessControl.FileSystemRights.ReadAndExecute Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit
    Case DirectoryPermission.Read
      lRights = Security.AccessControl.FileSystemRights.Read Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.Write
      lRights = Security.AccessControl.FileSystemRights.Write Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case Else
      ' No rights
      lRights = 0
      lInheritance = 0
  End Select

  ' Create the rule that needs to be added to the ACL
  Dim oRule As New Security.AccessControl.FileSystemAccessRule(oUserSid,
                                                               lRights,
                                                               lInheritance,
                                                               Security.AccessControl.PropagationFlags.None,
                                                               Security.AccessControl.AccessControlType.Allow)

  ' Add the new rule to our ACL
  oACL.AddAccessRule(oRule)

  ' Update the directory to include the new rules created
  System.IO.Directory.SetAccessControl(Directory, oACL)
End Sub

A couple of things had to be added to the code: Allow the routine to specify a user name and optional domain name to whom to apply the permission; Convert the Security.Principal.NTAccount into a Security.Principal.SecurityIdentifier.  I also found that the Security.AccessControl.InheritanceFlags made a difference in which permissions could be set without seeing Special Permissions also being checked.

I still have more I can do to this routine, including setting the Deny versions of the DirectoryPermission  Please let me know what you think.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

 Adam Zuckerman
Software Developer (Senior)
United States United States
Member
Long time software engineer who rambles occasionally about coding, best practices, and other random things.

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
Hint: For improved responsiveness ensure Javascript is enabled and choose 'Normal' from the Layout dropdown and hit 'Update'.
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
 
-- There are no messages in this forum --
About Article
I wrote a post yesterday about ACLs for File and Directory Access because I needed a way to set the permissions for a user to Modify that mimicked the way Windows set permissions.  
Type Technical Blog
Licence CPOL
First Posted 19 Feb 2013
Views 1,466
Bookmarked 1 time
Top News

10 Technology Skills That Will No Longer Help You Get A Job

Get the Insider News free each morning.
Related Videos
Setting up a Command (MVVM) in Windows Phone 8
Beginners Java Programming - 0601 The Standard Java Arithmetic Operators
The Windows Access Control Model Part 4
VBScript Recursive ACL List
Jazz Up Your C# Code
Using Access Control Lists to secure access to your objects
Setting Exchange Folder Permissions Remotely
NT Security Classes for .NET
Demystify http.sys with HttpSysManager
Discretionary ACL Authorization Security Model in Web Applications with NHibernate
File Server Audit
The Windows Access Control Model Part 1
Undelete a file in NTFS
NUKEleus - A DotNetNuke Installation Program
Securing NT objects
Canonicalization attacks - Prevention and Mitigation Guide
Migrating Lotus Notes (Domino) data to Microsoft Office SharePoint Server 2007
Web-based Active Directory Login
Upgrading to Lotus Notes and Domino 7 - Chapter 3 : Domino Domain Monitoring
Generic Directory Watcher Service
A Developer's Survival Guide to IE Protected Mode
Beginner's Guide: Exploring IIS 6.0 With ASP.NET
Permalink | Advertise | Privacy | Mobile
Web03 | 2.6.130513.1 | Last Updated 19 Feb 2013
Article Copyright 2013 by Adam Zuckerman
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid