January 19, 2021
Hot Topics:

The Basics of Manipulating File Access Control Lists with C#

  • By Jani Järvinen
  • Send Email »
  • More Articles »

To enumerate access control entries inside a FileSecurity object, you would call its GetAccessRules method. This method returns an AuthorizationRuleCollection object, which, as the name implies, is a collection all the access rules (access control entries) for the given file. Calling the GetAccessRules method requires two boolean values (to indicate whether explicit and inherited ACEs should be included) and a target type.

Of these parameters, the type is the most difficult one to specify; therefore, an explanation is in order. You might be aware that Windows uses SIDs or security identifiers to uniquely identify users or groups. SIDs are often represented as alphanumeric strings. For example, the SID string "S-1-1-0" specifies "Everybody". However, it might be easier for users to manipulate user accounts or groups with their names, for instance, "Administrator" or "Backup Operators".

The third parameter of the GetAccessRules method requires the aforementioned target type. This type specifies whether you want to read the actual SID values, or the account objects (and their names). Thus, you can either give the method the SecurityIdentifier type or the NTAccount type, respectively. Both these classes live in the System.Security.Principal namespace.

Retrieving ACE Information

To retrieve ACE information from a given file, use code similar to this:

FileSecurity security = File.GetAccessControl(filename);
AuthorizationRuleCollection acl = security.GetAccessRules(
   true, true, typeof(System.Security.Principal.NTAccount));
foreach (FileSystemAccessRule ace in acl)
   // Do something with the ACE here...

When you call the GetAccessRules of the FileSecurity class, the returned AuthorizationRuleCollection contains FileSystemAccessRule objects. An example application that is able to display there entries is shown in Figure 2. The application uses the following code to construct string-based dump of the given ACE object:

private string GetAceInformation(FileSystemAccessRule ace)
   StringBuilder info = new StringBuilder();
   string line = string.Format("Account: {0}",
   line = string.Format("Type: {0}", ace.AccessControlType);
   line = string.Format("Rights: {0}", ace.FileSystemRights);
   line = string.Format("Inherited ACE: {0}", ace.IsInherited);
   return info.ToString();

Click here for a larger image.

Figure 2: The sample application is able to retrieve file access control lists and display them.

The properties of the FileSystemAccessRule class allow you to read whether the ACE is an allowing or denying ACE, who is (or are) affected by the setting, and finally the rights that are affected. If you are interested in SID values, identical code works fine, except that you must give the SecurityIdentifier type as the third parameter to the GetAccessRules method.

Modifying Access Control Lists

Reading access control entries can indeed be useful, but you will also need to learn how to manipulate entries in a file's access control list. Luckily, this is easy in .NET: in addition to the GetAccessRules method of the FileSecurity object, you also have the following methods:

  • AddAccessRule
  • ModifyAccessRule
  • PurgeAccessRules
  • RemoveAccessRule
  • SetAccessRule

Of these, probably only the Purge and Set methods require further explanation. Purging means in this case removing all ACE entries that affect the given user. This is different from removing (the RemoveAccessRule method), because removing means stripping away all matching entries, ignoring which user or group the ACE affects.

Here's the code that is executed when the "Add Self to ACL" button of the example application is pressed:

WindowsIdentity self = System.Security.Principal.
FileSystemAccessRule rule = new FileSystemAccessRule(
   self.Name, FileSystemRights.FullControl,
// add the rule to the file's existing ACL list
FileSecurity security = File.GetAccessControl(filename);
AuthorizationRuleCollection acl = security.GetAccessRules(
   true, true, typeof(System.Security.Principal.NTAccount));
// persist changes
File.SetAccessControl(filename, security);

Page 2 of 3

This article was originally published on September 26, 2007

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date