AddAccessRule leaves general security unchecked.

  • Thread starter Thread starter SimeonArgus
  • Start date Start date
S

SimeonArgus

I'm writing an app that manages who has access to our internal files.
It does this by assigning certain groups to specific access. It works
great... except...

The permissions are all marked as "Special" permissions. This means
that under the general "Scurity" tab (without going into Advanced"),
all boxes for the specified users are unchecked. To make matters
worse, if I use the Microsoft-suggested way of setting permissions,
then all checkboxes become blank for all users, unless you view the
user settings in the advanced page.

Let me reiterate... the permissions themselves are accurate. But I
can't see the permissions that are set (even if I have FullControl)
without going into the Advanced page.

The code is utterly simple (which may be my problem). Any suggestions
on how to set the appropriate rights and still be able to view the
permissions in the general "security" tab??

<blockquote><pre> public void SetSecurity(string dirName,
string account,
FileSystemRights rights, AccessControlType controlType)
{
try
{
DirectorySecurity dSecurity =
Directory.GetAccessControl(dirName);

dSecurity.AddAccessRule(new FileSystemAccessRule
(account, rights, controlType));

Directory.SetAccessControl(dirName, dSecurity);
}
catch
{
txtStatus.Text += "Unable to add " + rights.ToString()
+ " from " +
dirName + " for " + account + "\r\n";
}
}</pre></blockquote>
 
I've found a fix. It's ugly. It's stupid.... but it does work. I would
really like a better fix for this as this can become horridly slow,
and a real pain in the butt... on top of that, it's ugly. I don't like
ugly code.

public void SetSecurity(string dirName, string account,
FileSystemRights rights, AccessControlType controlType)
{
try
{
DirectorySecurity dSecurity =
Directory.GetAccessControl(dirName);

// Set the current user's value. This used to be the
only line before SetAccessControl
dSecurity.AddAccessRule(new FileSystemAccessRule
(account, rights, controlType));

// RESET EVERYONE'S ACE So that it will view properly
in the Security tab. (MS BUG FIX!!)
// NOTE: I have to set this TWICE with the appropriate
inheritance flags
// (no inheritance is what we want) in order to get
the display to work properly
// in the general security tab. MS says it is the way
it is supposed to be.
// I say it is a bug. I don't want to declare
inheritance to set rights... and
// even if I do, I should only have to set it
ONCE!...
// And I should NEVER have to "reset" ALL of the users
within the ACL each time I touch a
// single value. This is just stupid.
//<end rant>
AuthorizationRuleCollection acl =
dSecurity.GetAccessRules(true, true, typeof
(System.Security.Principal.NTAccount));
foreach (FileSystemAccessRule ace in acl)
{
dSecurity.AddAccessRule(new FileSystemAccessRule
(ace.IdentityReference, ace.FileSystemRights,
InheritanceFlags.ContainerInherit,
PropagationFlags.None, ace.AccessControlType));

dSecurity.AddAccessRule(new FileSystemAccessRule
(ace.IdentityReference, ace.FileSystemRights,
InheritanceFlags.ObjectInherit,
PropagationFlags.None, ace.AccessControlType));
}


// Set the new access settings.
Directory.SetAccessControl(dirName, dSecurity);
}
catch
{
txtStatus.Text += "Unable to add " + rights.ToString()
+ " from " +
dirName + " for " + account + "\r\n";
}
}
 
I think if you add three access rules for each "InheritanceFlags" value, it would work

Below code works for me:

public void SetAccessControl(string folderName, string userName, FileSystemRights fsRights, AccessControlType acType)
{
DirectorySecurity dSecurity = Directory.GetAccessControl(folderName);

dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.None, PropagationFlags.InheritOnly, AccessControlType.Allow));
dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));

Directory.SetAccessControl(folderName, dSecurity);
}

Cheers!
Anuruddha
 
I think if you add three access rules for each "InheritanceFlags" value, it would work

Below code works for me:

public void SetAccessControl(string folderName, string userName, FileSystemRights fsRights, AccessControlType acType)
{
DirectorySecurity dSecurity = Directory.GetAccessControl(folderName);

dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.None, PropagationFlags.InheritOnly, AccessControlType.Allow));
dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));

Directory.SetAccessControl(folderName, dSecurity);
}

Cheers!
Anuruddha
 
I think if you add three access rules for each "InheritanceFlags" value, it would work

Below code works for me:

public void SetAccessControl(string folderName, string userName, FileSystemRights fsRights, AccessControlType acType)
{
DirectorySecurity dSecurity = Directory.GetAccessControl(folderName);

dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.None, PropagationFlags.InheritOnly, AccessControlType.Allow));
dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));

Directory.SetAccessControl(folderName, dSecurity);
}

Cheers!
Anuruddha
 
I think if you add three access rules for each "InheritanceFlags" value, it would work

Below code works for me:

public void SetAccessControl(string folderName, string userName, FileSystemRights fsRights, AccessControlType acType)
{
DirectorySecurity dSecurity = Directory.GetAccessControl(folderName);

dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.None, PropagationFlags.InheritOnly, AccessControlType.Allow));
dSecurity.AddAccessRule(new FileSystemAccessRule(userName, fsRights, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));

Directory.SetAccessControl(folderName, dSecurity);
}

Cheers!
Anuruddha
 
Sorry for multiple replies, but this reply page never says that my post was submitted, and keep asking for my login credentials!!!
 
Back
Top