ACL Propagation RulesĀ
When you create or modify access control entries (ACEs) for container objects such as folders, you can specify how to propagate the ACEs to objects within the container. For example, you might apply ACEs to all subfolders but not the files within those folders.
The rules of ACE propagation are controlled by different combinations of the InheritanceFlags enumeration and the PropagationFlags enumeration. You can pass both enumerations to constructors of the FileSystemAuditRule class or the FileSystemAccessRule class.
The following table shows all combinations of the two enumerations and describes how each combination affects the rules of propagation.
| Flag combinations | Propagation results |
|---|---|
No Flags |
Target folder. |
Target folder, child object (file), grandchild object (file). |
|
ObjectInherit and NoPropagateInherit |
Target folder, child object (file). |
ObjectInherit and InheritOnly |
Child object (file), grandchild object (file). |
ObjectInherit, InheritOnly, and NoPropagateInherit |
Child object (file). |
Target folder, child folder, grandchild folder. |
|
ContainerInherit, and NoPropagateInherit |
Target folder, child folder. |
ContainerInherit, and InheritOnly |
Child folder, grandchild folder. |
ContainerInherit, InheritOnly, and NoPropagateInherit |
Child folder. |
ContainerInherit, and ObjectInherit |
Target folder, child folder, child object (file), grandchild folder, grandchild object (file). |
ContainerInherit, ObjectInherit, and NoPropagateInherit |
Target folder, child folder, child object (file). |
ContainerInherit, ObjectInherit, and InheritOnly |
Child folder, child object (file), grandchild folder, grandchild object (file). |
ContainerInherit, ObjectInherit, NoPropagateInherit, InheritOnly |
Child folder, child object (file). |
Note To change the access rules of only certain child files or folders, you must break your operation into several different calls.