Delen via


ACL Propagation Rules

When you create or modify access control entries (ACEs) for container objects such as folders, you can specify how to propagate the ACEs to objects within the container. For example, you might apply ACEs to all subfolders but not the files within those folders.

The rules of ACE propagation are controlled by different combinations of the InheritanceFlags enumeration and the PropagationFlags enumeration. You can pass both enumerations to constructors of the FileSystemAuditRule class or the FileSystemAccessRule class.

The following table shows all combinations of the two enumerations and describes how each combination affects the rules of propagation.

Flag combinations

Propagation results

No Flags

Target folder.

ObjectInherit

Target folder, child object (file), grandchild object (file).

ObjectInherit and NoPropagateInherit

Target folder, child object (file).

ObjectInherit and InheritOnly

Child object (file), grandchild object (file).

ObjectInherit, InheritOnly, and NoPropagateInherit

Child object (file).

ContainerInherit

Target folder, child folder, grandchild folder.

ContainerInherit, and NoPropagateInherit

Target folder, child folder.

ContainerInherit, and InheritOnly

Child folder, grandchild folder.

ContainerInherit, InheritOnly, and NoPropagateInherit

Child folder.

ContainerInherit, and ObjectInherit

Target folder, child folder, child object (file), grandchild folder, grandchild object (file).

ContainerInherit, ObjectInherit, and NoPropagateInherit

Target folder, child folder, child object (file).

ContainerInherit, ObjectInherit, and InheritOnly

Child folder, child object (file), grandchild folder, grandchild object (file).

ContainerInherit, ObjectInherit, NoPropagateInherit, InheritOnly

Child folder, child object (file).

Note   To change the access rules of only certain child files or folders, you must break your operation into several different calls.

See Also

Other Resources

ACL Technology Overview

Security in the .NET Framework