none
Security.AccessControl.DirectorySecurity Trying to create a readonly folder for user X RRS feed

  • Question

  • I'm trying to create a folder for which Admin ( current user ) has full access.
    and a Named user 'RestrictedUser' has only read access.. no write or execute.
    All new files and folders within this folder should inherit these access rights.

    I have been experimenting with DirectorySecurity for a while,  but I#m not getting the desired results.

    for a fairly recent attempt i tried...

    [code]

    DirectorySecurity DS = new DirectorySecurity();

    DS.AddAccessRule(new FileSystemAccessRule(RestrictedUser, FileSystemRights.ListDirectory,

    InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit,

    PropagationFlags.InheritOnly,

    AccessControlType.Allow));

    DS.AddAccessRule(new FileSystemAccessRule(RestrictedUser, FileSystemRights.Read,

    InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit,

    PropagationFlags.InheritOnly,

    AccessControlType.Allow));

    DS.AddAccessRule(new FileSystemAccessRule(RestrictedUser, FileSystemRights.Synchronize,

    InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit,

    PropagationFlags.InheritOnly,

    AccessControlType.Allow));

    DS.AddAccessRule(new FileSystemAccessRule(Environment.UserName, FileSystemRights.FullControl,

    InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit,

    PropagationFlags.InheritOnly,

    AccessControlType.Allow));


    [/code]


    I then pass DS as parameter 2 in Directory.Create(Path, DS);

    This gave both Restricted, and Admin full access... read/write/execute.

    i then tried adding the followwing rule to the code above.

    [code]

    DS.AddAccessRule(new FileSystemAccessRule(RestrictedUser, FileSystemRights.Write,

    InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit,

    PropagationFlags.InheritOnly,

    AccessControlType.Deny));
    [/code]


    This just locked RestrictedUser completely out... didnt allow them to view the contents of the file, read, write or execute !

    I am lost !

    Any ideas ???


    meh
    Friday, May 30, 2008 2:29 PM

Answers

  • Hi,

    In you code, you just add new rules for the files and folders inside the this folder, you have to add new rules for the created folder as well, something like this works well,

            private void button1_Click(object sender, EventArgs e)

            {

                DirectoryInfo dir = new DirectoryInfo(@"c:\test2\t");

                if (!dir.Exists)

                {

                    DirectorySecurity ds = new DirectorySecurity();

     

                    //add access rule to the current folder

     

                    ds.AddAccessRule(new FileSystemAccessRule(new NTAccount("Administrators"),

                        FileSystemRights.FullControl,

                        InheritanceFlags.None,

                        PropagationFlags.None,

                        AccessControlType.Allow));

     

                    ds.AddAccessRule(new FileSystemAccessRule(new NTAccount("Users"),

                        FileSystemRights.ListDirectory | FileSystemRights.Read | FileSystemRights.Synchronize,

                        InheritanceFlags.None,

                        PropagationFlags.None,

                        AccessControlType.Allow));

     

                    ds.AddAccessRule(new FileSystemAccessRule(Environment.UserName,

                        FileSystemRights.FullControl,

                        InheritanceFlags.None,

                        PropagationFlags.None,

                        AccessControlType.Allow));

     

                    // add access rule to the sub folders

     

                    ds.AddAccessRule(new FileSystemAccessRule(new NTAccount("Administrators"),

                        FileSystemRights.FullControl,

                        InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,

                        PropagationFlags.InheritOnly,

                        AccessControlType.Allow));

     

                    ds.AddAccessRule(new FileSystemAccessRule(new NTAccount("Users"),

                        FileSystemRights.ListDirectory | FileSystemRights.Read | FileSystemRights.Synchronize,

                        InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,

                        PropagationFlags.InheritOnly,

                        AccessControlType.Allow));

     

     

                    ds.AddAccessRule(new FileSystemAccessRule(Environment.UserName,

                        FileSystemRights.FullControl,

                        InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit,

                        PropagationFlags.InheritOnly,

                        AccessControlType.Allow));

                    //call the SetAccessRuleProtection method to prevent the permission inherited from the parent objects.

                    sec.SetAccessRuleProtection(false, false);

     

                    dir.Create(ds);

     

                }

            }


    For more information about the AddAccessRule method, you can read this document

    AddAccessRule Method
    http://msdn.microsoft.com/en-us/library/d49cww7f.aspx



    If you anything unclear, please feel free to let me know.

    Best Regards
    Zhi-xin Ye



    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    • Edited by Zhi-Xin Ye Thursday, June 5, 2008 3:44 AM eidt
    • Marked as answer by Bruno Yu Friday, June 6, 2008 4:01 AM
    Wednesday, June 4, 2008 4:15 PM