ACL Technology Architecture
The System.Security.AccessControl namespace provides access to access control lists (ACLs) through convenient classes that abstract much of the complexity of the Windows ACL security system. Additionally, the System.Security.AccessControl namespace contains several classes that provide advanced access to the Windows ACL security system.
The .NET Framework provides access to ACLs for the following resources:
Cryptographic keys
Directories
Event Wait handles
Files
Mutexes
Registry Keys
Semaphores
Each of these resources has several classes that you can use to create and modify ACLs.
Hierarchy of ACL classes
For most scenarios, you can use the higher level, abstracted classes instead of the advanced classes to create and modify ACLs. For each resource, the higher level classes take the following form:
A class that encapsulates the discretionary access control list (DACL) and the system access control list (SACL). This class takes the name <Resource Name>Security. For example, the FileSecurity and DirectorySecurity classes encapsulate DACLs and SACLs for files and folders.
A class that encapsulates an access control entry (ACE). This class takes the name <Resource Name>AccessRule.
A class that encapsulates an audit ACE. This class takes the name <Resource Name>AuditRule.
Several enumerations that allow you to create specific access and audit rules.
For a complete list of all high-level ACL classes, see Technology Summary for ACLs.
Adding ACEs to ACLs
After you create an ACE using one of the access rule or audit rule classes, you can add the rule to a resource or use it to remove an existing rule from a resource. For example, you might create a rule using the FileSystemAccessRule class specifying that only administrators can open a file. You could then add that rule to a FileSecurity object or remove a similar rule from a FileSecurity object.
Adding an ACE that grants access does not guarantee that a principal will receive access because a deny rule always supersedes an allow rule. For example, if you add an allow access rule for a system account to a file, this does not mean the person will have access because they may also be denied access to the file by another rule.
Each <Resource Name>Security object associated with a resource provides the following methods to add or remove access rules and audit rules.
Method |
Description |
|---|---|
AddAccessRule -and- AddAuditRule |
Searches for an access or audit rule that can be merged with the new rule. If none are found, adds the new rule. |
SetAccessRule |
Removes all access control rules with the same user and AccessControlType value (Allow or Deny) as the specified rule, then adds the specified rule. |
SetAuditRule |
Removes all audit rules with the same user as the specified rule, regardless of the AuditFlags value, then adds the specified rule. |
ResetAccessRule |
Removes all access control rules with the same user as the specified rule, regardless of the AccessControlType value, then adds the specified rule. |
RemoveAccessRule |
Searches for an access control rule with the same user and AccessControlType value (Allow or Deny) as the specified rule, and with compatible inheritance and propagation flags. If found, the rights contained in the specified access rule are removed from the rule. |
RemoveAuditRule |
Searches for an audit control rule with the same user as the specified rule, and with compatible inheritance and propagation flags. If found, the rights contained in the specified rule are removed from the rule. |
RemoveAccessRuleAll |
Searches for all access rules with the same user and AccessControlType value (Allow or Deny) as the specified rule and, if found, removes them. |
RemoveAuditRuleAll |
Searches for all audit rules with the same user as the specified rule and, if found, removes them. |
RemoveAccessRuleSpecific -and- RemoveAuditRuleSpecific |
Searches for an access or audit rule that exactly matches the specified rule and, if found, removes the rule. |
AddAccessRule -and- AddAuditRule |
Searches for an access or audit rule that can be merged with the new rule. If none are found, adds the new rule. |
Getting and Setting ACLs
Each protected resource has methods that get and set the <Resource Name>Security object associated with a resource. To retrieve the existing ACLs for a specific resource, use one of the GetAccessControl methods associated with the resource. To propagate changes back to a resource, use one of the SetAccesscontrol methods associated with the resource. Note that changes are not propagated back to a resource until you explicitly re-apply them with one of the set methods.
For a complete list of all of the get and set methods for each protected resource, see Technology Summary for ACLs.