Access Control to Resources C# Help

With the operating system, resources such as files and registry keys, as weIl as handles of a named pipe, are secured by using an access control list. Figure 20-3 shows the structure of how this maps. The resource has a security descriptor associated. The security descriptor contains information about the owner of the resource and references two access control lists: a discretionary access-controllist (OACL) and a system access-controllist (SACL).The OACL defines who has access or no access; the SACL defines audit rules for security event logging. An ACL contains a list of access-control entries (ACE).The ACE contains a type, a security identifier, and rights. With the OACL,the ACEcan be of type access aIlowed or access denied. Some of the rights that you can set and get with a file are create, read, write, delete, modify, change permissions, and take ownership.

Figure 20-3

Figure 20-3

Classes to read and.modify access control are in the namespace System. Securi ty .AccessControl. The following program demonstrates reading the access control list from a file. The FileStream class defines the GetAccessControl () method that returns a FileSecurity object. FileSecuri ty is the .NETclass that represents a security descriptor for files. FileSecuri ty derivesfrom the base classes ObjectSecuri ty, CommonObjectSecuri ty, Nati veObj ectSecuri ty, and  FileSystemSecuri ty. Other classes that represent a security descriptor are CryptoKeySecuri ty, ~ventWaitHandleSecurity,MutexSecurity,RegistrySecurity,SemaphoreSecurity, PipeSecuri ty, and Acti veDirectorySecuri ty. AIl of these objects can be secured using an’access control list. In general, the corresponding .NET class defines the method GetAccessControl to return the corresponding security class; for example, the Mutex. GetAccessControl () method returns a MutexSecurity, and the pipestream.GetAccessControl () me~od returns a PipeSecurity. The FileSecuri ty class defines methods to read and change the OACLand SACL.The method GetAccessRules () returns the OACLin the form of the class AuthorizationRuleCollection. To
access the SACL, you can use the method GetAudi tRules ( ).

With the method GetAccessRules (),you can define if inherited access rules, and not only access rules directly defined with the object, should be used. The last parameter defines the type of the securit dentifier that should be returned. This type must derive from the base class Identi tyReference. Possible types are NTAccount and Securi tyIdentifier. Both of these classes represent users or groups; the NTAccount class finds the security object by its name and the Securi tyIdentifier class finds the security object by a unique security identifier.

The returned AuthorizationRuleCollection contains AuthorizationRule objects. The AuthorizationRule is the .NET representation of an ACE. With the sample here, a file is accessed, so Ule AuthorizationRule can be cast to a FileSystemAccessRule. With ACEs of other resources, different .NET representations exist, such as MutexAccessRule and PipeAccessRule. With the FileSystemAccessRule class, the properties AccessControl Type, FileSystemRights, and IdentityReference return information about the ACE

By running the application and passing a filename, you can see the access control listfor the file.The output shown here listsfullcontrol to Administrators and System, modification rights to authenticated users, and read and execute rights to allusers belonging to the group Users:

Access type: Allow
Rights: FullControl
Identity: BUILTIN\Administrators

Access type: Allow
Rights: FullControl

Access type: Allow
Rights: Modify, Synchronize
Identity: NT AUTHORITY\Authenticated Users

Access type: Allow
Rights: ReadAndExecute, Synchronize
Identity: BUILTIN\Users

Setting access rights isvery similar to reading access rights.To set access rights,several resource classes that can be secured offer the SetAccessControl () and ModifyAccessControl () methods. The.~ ~ sample code here modifies the access control listof a fileby invoking the SetAccessControl () method from the File class.To thismethod a FileSecuri ty object ispassed. The FileSecurity object isfilled with FileSystemAccessRule objects.The access rules listedhere deny write access to the Sales group, give read access to the Everyone group, and give fullcontrol to the Developers group.

This program runs on your system only if the Windows groups Sales and Deuelopers are defined. You
can change the program to use groups that are available in your environment.

You can verify the access rules by opening the Properties and selecting afile in the Windows Explorer. Selecting the Security tab lists the access control list.

Posted on November 2, 2015 in Localization

Share the Story

Back to Top