Setting Directory ACLs To Mimic Standard Windows Permissions

Adam Zuckerman

Rate me:

0.00/5 (No votes)

19 Feb 2013CPOL

5.8K

How to set directory ACLs to mimic standard Windows permissions

I wrote a post yesterday about ACLs for File and Directory Access because I needed a way to set the permissions for a user to modify that mimicked the way Windows set permissions. I found that I needed to expand the settings to allow for more permission types.

I decided on these permission types for the directory to come as close to the way Windows handles permissions when you click on one of the options for a directory's security properties.

VB.NET

Friend Enum DirectoryPermission
  Full
  Modify
  AllExceptModifyAndFull
  ReadAndExecute
  ListContents
  Read
  Write
  None
End Enum

None in the above list doesn't remove the security rule, but sets it to no available permissions. The rest of the options in the enumeration should be self-explanatory.

VB.NET

Private Sub SetDirectoryPermissions(ByVal Directory As String, _
ByVal Permissions As DirectoryPermission, Optional ByVal Domain As String = Nothing, _
Optional ByVal User As String = Nothing)
  ' Get the ACL for the directory just created
  Dim oACL As Security.AccessControl.DirectorySecurity = _
  IO.Directory.GetAccessControl(Directory, Security.AccessControl.AccessControlSections.Access)

  Dim oUserSid As Security.Principal.SecurityIdentifier
  If Not IsNothing(Domain) AndAlso Not IsNothing(User) Then
    oUserSid = New Security.Principal.NTAccount(Domain, User).Translate_
    (GetType(Security.Principal.SecurityIdentifier))
  ElseIf Not IsNothing(User) Then
    oUserSid = New Security.Principal.NTAccount(User).Translate_
    (GetType(Security.Principal.SecurityIdentifier))
  Else
    ' Create a security Identifier for the 
    ' BUILTIN\Users group to be passed to the new access rule
    oUserSid = New Security.Principal.SecurityIdentifier_
    (Security.Principal.WellKnownSidType.BuiltinUsersSid, Nothing)
  End If

  Dim lRights As Long
  Dim lInheritance As Long
  Select Case Permissions
    Case DirectoryPermission.Full
      lRights = Security.AccessControl.FileSystemRights.FullControl
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
      Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.Modify
      lRights = Security.AccessControl.FileSystemRights.Modify _
      Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
      Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.ReadAndExecute
      lRights = Security.AccessControl.FileSystemRights.ReadAndExecute _
      Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
      Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.AllExceptModifyAndFull
      lRights = Security.AccessControl.FileSystemRights.Write _
      Or Security.AccessControl.FileSystemRights.ReadAndExecute _
      Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
      Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.ListContents
      lRights = Security.AccessControl.FileSystemRights.ReadAndExecute _
      Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit
    Case DirectoryPermission.Read
      lRights = Security.AccessControl.FileSystemRights.Read _
      Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
      Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case DirectoryPermission.Write
      lRights = Security.AccessControl.FileSystemRights.Write _
      Or Security.AccessControl.FileSystemRights.Synchronize
      lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
      Or Security.AccessControl.InheritanceFlags.ObjectInherit
    Case Else
      ' No rights
      lRights = 0
      lInheritance = 0
  End Select

  ' Create the rule that needs to be added to the ACL
  Dim oRule As New Security.AccessControl.FileSystemAccessRule(oUserSid,
                                                               lRights,
                                                               lInheritance,
                                                          Security.AccessControl.PropagationFlags.None,
                                                          Security.AccessControl.AccessControlType.Allow)

  ' Add the new rule to our ACL
  oACL.AddAccessRule(oRule)

  ' Update the directory to include the new rules created
  System.IO.Directory.SetAccessControl(Directory, oACL)
End Sub

A couple of things had to be added to the code: Allow the routine to specify a user name and optional domain name to whom to apply the permission; Convert the Security.Principal.NTAccount into a Security.Principal.SecurityIdentifier. I also found that the Security.AccessControl.InheritanceFlags made a difference in which permissions could be set without seeing Special Permissions also being checked.

I still have more I can do to this routine, including setting the Deny versions of the DirectoryPermission. Please let me know what you think.

This article was originally posted at http://justsomevbcode.blogspot.com/2012/11/setting-directory-acls-to-mimic.html

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By

Adam Zuckerman

Software Developer (Senior)

United States

Long time software engineer who rambles occasionally about coding, best practices, and other random things.

Setting Directory ACLs To Mimic Standard Windows Permissions

License

Comments and Discussions