VB.NET Change File Level Permissions: Better to Ask for Forgiveness than Permission
Introduction
Some people are thinking better to ask for forgiveness then permissions?
In the modern computing environment, file level permissions are important in operating systems. We do not interact with them directly in most instances in our normal everyday lives. Most of us can create an administrator account, yet know little to nothing about how we can limit a person?s specific permissions except for technical gurus, IT users, or power users. So, how can we limit a person's specific permissions depending on his account and privileges. I will explain how to change file level permissions below in VB.NET.
Requirements
- Dotnet framework 4.5 or Above
- Windows 7 Operating System or Above
- Time: Takes about 30-45 minutes to code depending on the amount of permissions that are going to be added or removed from the file. However, your mileage may differ on how fast you complete this project.
Loading Users for a specific file
Our first step in this tutorial is to load the users that have permissions for a specific file into a list box. In Figure 1, As you can see the users with permissions to the file are retrieved and added to lstUsers. Example 1 below has users loaded into lstUsers to show which users it retrieved. Note: the users that are retrieved could vary depending on your system. Some test users where created and added to the file for demonstration purposes in this tutorial.
http://1.bp.blogspot.com/-vjffFh-IyTk/U4TrDOeG0nI/AAAAAAAAAJ0/rA_7AwGPPC4/s1600/Example1.jpg
Figure 1: Retrieving users and adding to lstUsers list box.
Example 1: Users loaded into lstUsers list box.
Private Sub BtnBrowse_Click(sender As Object, e As EventArgs)H And les BtnBrowse.Click
OpenFileDialog1.Title = "Get access control for file"
OpenFileDialog1.Multiselect = False
OpenFileDialog1.InitialDirectory = "C:\Users\Jeffery\Desktop"
If OpenFileDialog1.ShowDialog = Windows.Forms.DialogResult.OK Then
filename = OpenFileDialog1.FileName
Dim fi As New FileInfo(OpenFileDialog1.FileName)
Dim fs As New FileSecurity
fs = fi.GetAccessControl
Dim object1 As Type = Type.GetType("System.Security.Principal.NTAccount")
For Each AuthRule As FileSystemAccessRule In fs.GetAccessRules(True, True, object1)
lstUsers.Items.Add(AuthRule.IdentityReference.Value.ToString)
Next
End If
End Sub
Viewing Permissions for a specific user
The second step in the tutorial is to view permissions for a specific user.
As you can see in Example 2, I have selected the user test and his allow and deny permissions to the file show up.
Notice how user test does not have any deny permissions? This is not a code error. In fact, he does not have any revoked or denied permissions at all.
In Figure 2, I show the code for lstUsers_SelectedIndexChangedEvent which shows the permissions for a specific user that is selected from the list.
http://4.bp.blogspot.com/-2zq92kXpMOw/U4TrDIiEOLI/AAAAAAAAAJo/Fcl-oPQG2p0/s1600/Example2.jpg
Figure 2 - lstUsers_SelectedIndexChanged
Example 2: Selection of a specific user
Private Sub lstUsers_SelectedIndexChanged(sender As Object, e As EventArgs) H And les lstUsers.SelectedIndexChanged
user = ""
user = lstUsers.SelectedItem.ToString
Dim fi As New FileInfo(filename)
Dim fs As New FileSecurity
fs = fi.GetAccessControl
Dim object1 As Type = Type.GetType("System.Security.Principal.NTAccount")
lstAllowPermissions.Items.Clear()
lstDenyPermissions.Items.Clear()
For Each AuthRule As FileSystemAccessRule In fs.GetAccessRules(True, True, object1)
If AuthRule.IdentityReference.Value.ToString = lstUsers.SelectedItem.ToString Then
Dim ACL_Type As String =""
If AuthRule.AccessControlType.Equals(AccessControlType.Deny) Then
ACL_Type = "Deny"
Else
ACL_Type = "Allow"
End If
Dim permissions As String =""
If (AuthRule.FileSystemRights And FileSystemRights.FullControl) = FileSystemRights.FullControl Then
permissions = "Full Control"
If ACL_Type ="Allow" And permissions <>"" Then
lstAllowPermissions.Items.Add(permissions)
lstAllowPermissions.SetItemChecked(lstAllowPermissions.Items.Count - 1, True )
End If
If ACL_Type ="Deny" And permissions <>"" Then
lstDenyPermissions.Items.Add(permissions)
lstDenyPermissions.SetItemChecked(lstDenyPermissions.Items.Count - 1, True )
End If
End If
If (AuthRule.FileSystemRights And FileSystemRights.Modify) = FileSystemRights.Modify Then
permissions = "Modify"
If ACL_Type ="Allow" And permissions <>"" Then
lstAllowPermissions.Items.Add(permissions)
lstAllowPermissions.SetItemChecked(lstAllowPermissions.Items.Count - 1, True )
End If
If ACL_Type ="Deny" And permissions <>"" Then
lstDenyPermissions.Items.Add(permissions)
lstDenyPermissions.SetItemChecked(lstDenyPermissions.Items.Count - 1, True )
End If
End If
?... more permissions can be added here
Next
End Sub
Adding/Removing permissions
In this section, permissions are added or removed/denied but are not set on the file.We will be adding new permissions to allow or deny permission lists. The next code section will show how to actually set the new permissions we selected for the file. In Figure 3, permissions are added to allow or deny lists depending upon what is selected in the cboACLType list box. In Figure 4, the code is displayed for removing currently displayed Allow or Deny permissions. Note: you must remove the permission before changing to the next user or changes may be lost. To remove an item, uncheck it in the list box And click Remove Permissions.
Example 3: Add New Allow or Deny Permissions
Private Sub BtnAdd_Click(sender As Object, e As EventArgs)H And les BtnAdd.Click
If cboACLType.SelectedItem ="Allow" Then
If lstAllowPermissions.Items.IndexOf(cboPermissionList.SelectedItem) = -1 And _
filename <> "" And _
lstUsers.SelectedIndex <> -1 Then
'filename must be something or a files properties have not been loaded
lstAllowPermissions.Items.Add(cboPermissionList.SelectedItem.ToString)
lstAllowPermissions.SetItemChecked(lstAllowPermissions.Items.Count - 1, True )
AllowPermissions.Add(_
lstAllowPermissions.Items.Item(_
lstAllowPermissions.Items.IndexOf(cboPermissionList.SelectedItem.ToString)))
End If
ElseIf cboACLType.SelectedItem ="Deny" Then
If lstDenyPermissions.Items.IndexOf(cboPermissionList.SelectedItem) = -1 And _
filename <> "" And _
lstUsers.SelectedIndex <> -1 Then
lstDenyPermissions.Items.Add(cboPermissionList.SelectedItem.ToString)
lstDenyPermissions.SetItemChecked(lstDenyPermissions.Items.Count - 1, True )
DenyPermissions.Add(_
lstDenyPermissions.Items.Item(_
lstDenyPermissions.Items.IndexOf(cboPermissionList.SelectedItem.ToString)))
End If
End If
End Sub
http://4.bp.blogspot.com/-Q7PvsbjTQT0/U4TpSVNwscI/AAAAAAAAAJg/UVpVDtPApYM/s1600/Example4.jpg
Figure 4 – showing how the deny permissions were applied to the file.
In Example 4, see how the Permission Entry for devices (devices.txt file) Dialog above is showing only the Deny permission of List Directory Contents and there is a new Deny rule added. The new rule is added when the List folder permission is changed to deny. This rule is only applied though when we click BtnSet Permissions (also called the Set Permissions button) before moving onto the next user. Note: these are local file permissions and do not include changing any active directory permissions.
Notes
This file is an authorized copy of the following article by the same author: Better to ask for permission Then forgiveness codeproject original article.
The formatting of this Wiki article maybe be improved or different compared to the original version.