I wrote a post yesterday about ACLs for File and Directory Access because I needed a way to set the permissions for a user to modify that mimicked the way Windows set permissions. I found that I needed to expand the settings to allow for more permission types.
I decided on these permission types for the directory to come as close to the way Windows handles permissions when you click on one of the options for a directory's security properties.
Friend Enum DirectoryPermission
Full
Modify
AllExceptModifyAndFull
ReadAndExecute
ListContents
Read
Write
None
End Enum
None
in the above list doesn't remove the security rule, but sets it to no available permissions. The rest of the options in the enumeration should be self-explanatory.
Private Sub SetDirectoryPermissions(ByVal Directory As String, _
ByVal Permissions As DirectoryPermission, Optional ByVal Domain As String = Nothing, _
Optional ByVal User As String = Nothing)
Dim oACL As Security.AccessControl.DirectorySecurity = _
IO.Directory.GetAccessControl(Directory, Security.AccessControl.AccessControlSections.Access)
Dim oUserSid As Security.Principal.SecurityIdentifier
If Not IsNothing(Domain) AndAlso Not IsNothing(User) Then
oUserSid = New Security.Principal.NTAccount(Domain, User).Translate_
(GetType(Security.Principal.SecurityIdentifier))
ElseIf Not IsNothing(User) Then
oUserSid = New Security.Principal.NTAccount(User).Translate_
(GetType(Security.Principal.SecurityIdentifier))
Else
oUserSid = New Security.Principal.SecurityIdentifier_
(Security.Principal.WellKnownSidType.BuiltinUsersSid, Nothing)
End If
Dim lRights As Long
Dim lInheritance As Long
Select Case Permissions
Case DirectoryPermission.Full
lRights = Security.AccessControl.FileSystemRights.FullControl
lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
Or Security.AccessControl.InheritanceFlags.ObjectInherit
Case DirectoryPermission.Modify
lRights = Security.AccessControl.FileSystemRights.Modify _
Or Security.AccessControl.FileSystemRights.Synchronize
lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
Or Security.AccessControl.InheritanceFlags.ObjectInherit
Case DirectoryPermission.ReadAndExecute
lRights = Security.AccessControl.FileSystemRights.ReadAndExecute _
Or Security.AccessControl.FileSystemRights.Synchronize
lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
Or Security.AccessControl.InheritanceFlags.ObjectInherit
Case DirectoryPermission.AllExceptModifyAndFull
lRights = Security.AccessControl.FileSystemRights.Write _
Or Security.AccessControl.FileSystemRights.ReadAndExecute _
Or Security.AccessControl.FileSystemRights.Synchronize
lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
Or Security.AccessControl.InheritanceFlags.ObjectInherit
Case DirectoryPermission.ListContents
lRights = Security.AccessControl.FileSystemRights.ReadAndExecute _
Or Security.AccessControl.FileSystemRights.Synchronize
lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit
Case DirectoryPermission.Read
lRights = Security.AccessControl.FileSystemRights.Read _
Or Security.AccessControl.FileSystemRights.Synchronize
lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
Or Security.AccessControl.InheritanceFlags.ObjectInherit
Case DirectoryPermission.Write
lRights = Security.AccessControl.FileSystemRights.Write _
Or Security.AccessControl.FileSystemRights.Synchronize
lInheritance = Security.AccessControl.InheritanceFlags.ContainerInherit _
Or Security.AccessControl.InheritanceFlags.ObjectInherit
Case Else
lRights = 0
lInheritance = 0
End Select
Dim oRule As New Security.AccessControl.FileSystemAccessRule(oUserSid,
lRights,
lInheritance,
Security.AccessControl.PropagationFlags.None,
Security.AccessControl.AccessControlType.Allow)
oACL.AddAccessRule(oRule)
System.IO.Directory.SetAccessControl(Directory, oACL)
End Sub
A couple of things had to be added to the code: Allow the routine to specify a user name and optional domain name to whom to apply the permission; Convert the Security.Principal.NTAccount
into a Security.Principal.SecurityIdentifier
. I also found that the Security.AccessControl.InheritanceFlags
made a difference in which permissions could be set without seeing Special Permissions also being checked.
I still have more I can do to this routine, including setting the Deny versions of the DirectoryPermission
. Please let me know what you think.