none
Programmatically Getting Effective Directory/File Permissions RRS feed

  • Question

  • My application sets and shows permissions for files and folders. I know how get rules by using DirectorySecurity.GetAccessRules(). But I can't get effective permissions.

    Is there api in .net for getting effective folder permissions for user?  Or I should manually analyze all permissions for user: permissions for groups, that include the user, inherited permissions and user permission for file/folder.

    I tried use  GetEffectiveRightsFromAcl function. But this one works incorrect. After I added  allow/deny rules, this function returned error 1336. I red that this function is sensetive to order of deny/allow rules.

    Is there a function in the Windows API/FCL that can return effective permissions?


    • Edited by SullenMan Wednesday, February 21, 2018 1:01 PM
    Wednesday, February 21, 2018 12:59 PM

All replies

  • Hi SullenMan,

    Thank you for posting here.

    For your question, what is the effective permission you want to get?

    Here is a simple example about how to get the permission of folder.

       static void GetDirectorySecurity(string dir, int levels)
            {
                int curLevel = 1;
                string[] dirs = Directory.GetDirectories(dir);
    
                foreach (string directory in dirs)
                {
                    Console.WriteLine("---------------------------------------------------------");
                    Console.WriteLine(directory);
                    try
                    {
                        string tabs = "\t";
                        DirectoryInfo dInfo = new DirectoryInfo(directory);
                        DirectorySecurity dSecurity = dInfo.GetAccessControl();
                        AuthorizationRuleCollection acl = dSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
                        foreach (FileSystemAccessRule ace in acl)
                        {
                            Console.WriteLine("{0}Account: {1}", tabs, ace.IdentityReference.Value);
                            Console.WriteLine("{0}Type: {1}", tabs, ace.AccessControlType);
                            Console.WriteLine("{0}Rights: {1}", tabs, ace.FileSystemRights);
                            Console.WriteLine("{0}Inherited: {1}", tabs, ace.IsInherited);
                            Console.WriteLine();
                        }
    
                        if (curLevel < levels)
                            GetDirectorySecurity(@directory, curLevel + 1, levels);
                    }
                    catch
                    {
                        Console.WriteLine("Could not access {0}", directory);
                    }
    
                }
            }
    
            static void GetDirectorySecurity(string dir, int curLevel, int levels)
            {
                string[] dirs = Directory.GetDirectories(@dir);
                string tabs = "";
                for (int i = 0; i < curLevel; i++)
                    tabs += "\t";
    
                foreach (string directory in dirs)
                {
                    Console.WriteLine(tabs.Substring(0, tabs.Length - 1) + "---------------------------------------------------------");
                    Console.WriteLine(tabs.Substring(0, tabs.Length - 1) + directory);
                    try
                    {
                        DirectoryInfo dInfo = new DirectoryInfo(directory);
                        DirectorySecurity dSecurity = dInfo.GetAccessControl();
                        AuthorizationRuleCollection acl = dSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
                        foreach (FileSystemAccessRule ace in acl)
                        {
                            Console.WriteLine("{0}Account: {1}", tabs, ace.IdentityReference.Value);
                            Console.WriteLine("{0}Type: {1}", tabs, ace.AccessControlType);
                            Console.WriteLine("{0}Rights: {1}", tabs, ace.FileSystemRights);
                            Console.WriteLine("{0}Inherited: {1}", tabs, ace.IsInherited);
                            Console.WriteLine();
                        }
                        if (curLevel < levels)
                            GetDirectorySecurity(@directory, curLevel + 1, levels);
                    }
                    catch
                    {
                        Console.WriteLine("Could not access {0}", directory);
                    }
                }
            }
    
            static void Main(string[] args)
            {
                GetDirectorySecurity(@"C:\Users\v-wezan\Desktop\New", 0);
                
                Console.ReadKey();
            }

    I use two folder with different permission for reference.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, February 22, 2018 6:56 AM
    Moderator
  • Effective Permission: Folder->Properties->Security->Advanced->Effective Permissions

    That includes the permissions in effect from group membership and any permissions inherited from the parent object. These are the resulting user rights to the folder.


    Thursday, February 22, 2018 11:36 AM
  • My application sets and shows permissions for files and folders. I know how get rules by using DirectorySecurity.GetAccessRules(). But I can't get effective permissions.

    Is there api in .net for getting effective folder permissions for user?  Or I should manually analyze all permissions for user: permissions for groups, that include the user, inherited permissions and user permission for file/folder.

    I tried use  GetEffectiveRightsFromAcl function. But this one works incorrect. After I added  allow/deny rules, this function returned error 1336. I red that this function is sensetive to order of deny/allow rules.

    Is there a function in the Windows API/FCL that can return effective permissions?


    First, you should realize that Windows Security requires that ACEs appear in a security descriptor in the proper canonical order. Error code 1336 means "The access control list (ACL) structure is invalid."

    The right answer is to correct how you modify the ACL if your changes have not maintained the proper ordering.

    Additionally, the documentation for GetEffectiveRightsFromAcl also indicates that "The GetEffectiveRightsFromAcl function fails and returns ERROR_INVALID_ACL if the specified ACL contains an inherited access-denied ACE." The above link includes some native C Windows API code that offers an alternative method to determine effective rights.






    • Edited by RLWA32 Friday, February 23, 2018 12:37 AM added additional information
    Thursday, February 22, 2018 4:15 PM
  • Hi SullMan,

    Please refer to the blog about Programmatically Getting Effective Directory/File Permissions.

    https://web.archive.org/web/20140529015353/http://www.conarc.com/blog/2010/03/25/programmatically-getting-effective-directoryfile-permissions/

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, March 2, 2018 6:34 AM
    Moderator