ACL Technology Scenarios
The classes in the System.Security.AccessControl namespace allow you to programmatically create or change discretionary access control lists (DACLs) and system access control lists (SACLs) associated with a protected resource.
This section describes the two most common access control and audit scenarios: setting rules at resource creation and programmatically modifying the rules of an existing resource.
Scenario 1: Create an access or audit rule for a new file or directory
Sometimes your application needs to create a new file or folder. This scenario describes how to specify the ACLs for a new file or folder using the managed ACL classes.
Scenario Key Points
Create an application that performs the following tasks:
Creates one or more FileSystemAccessRule or FileSystemAuditRule objects to represent the rules you want to apply.
Adds FileSystemAccessRule or FileSystemAuditRule objects to a new FileSecurity or DirectorySecurity object.
Creates a new file or folder by passing the FileSecurity or DirectorySecurity object to the appropriate method or constructor. Every file or directory creation method or constructor has an overload that accepts a file security parameter. For example, you can use the System.IO.File.Create(System.String,System.Int32,System.IO.FileOptions,System.Security.AccessControl.FileSecurity) method, the System.IO.Directory.CreateDirectory(System.String,System.Security.AccessControl.DirectorySecurity) method, and the System.IO.FileStream.#ctor(System.String,System.IO.FileMode,System.IO.FileAccess) method in addition to several other methods to set ACLs at creation time.
Scenario 2: Modify an access or audit rule for an existing file or directory
Sometimes you need to programmatically change the ACLs of an existing file or folder. This scenario describes how to modify the ACLs for an existing file or folder using the managed ACL classes.
Scenario Key Points
Create an application that performs the following tasks:
Retrieves the FileSecurity or DirectorySecurity object from an existing file or folder using the GetAccessControl method or the GetAccessControl method.
Creates one or more FileSystemAccessRule or FileSystemAuditRule objects to represent the rules you want to apply.
Adds FileSystemAccessRule or FileSystemAuditRule objects to the FileSecurity or DirectorySecurity object.
Persists the FileSecurity or DirectorySecurity object using the SetAccessControl method or the GetAccessControl method.