Hi all;

I am accessing the DACL for a user, with a given file.
I am able to grant and deny any given permission, but
when I grant certain permissions, I see that several
others are granted along with it.

For example, I can get an "IdentityReference" for a given user,
purge the access rules, then grant read access:
==============================================================

String ^ path = gcnew String ("C:\\AAAA\\test.txt");
String ^ userName = "sim\\Bob";
IdentityReference ^ ID_ref = gcnew NTAccount (userName);
FileSystemAccessRule ^ ac_rule;

FileInfo ^ file_info = gcnew FileInfo ( path );
FileSecurity ^ file_security = file_info->GetAccessControl ();

PrintOwerAndDACL (file_security);

file_security->PurgeAccessRules (ID_ref);
file_info->SetAccessControl (file_security);

PrintOwerAndDACL (file_security);

ac_rule = gcnew FileSystemAccessRule
(ID_ref, FileSystemRights::Read,
AccessControlType::Allow);

file_security->AddAccessRule (ac_rule);

==============================================================


Read access gets set, but so does a lot of other things:
----------------------------------------
<grant>
<FullControl/>
<ListDirectory/>
<Modify/>
<Read/>
<ReadAndExecute/>
<ReadAttributes/>
<ReadData/>
<ReadExtendedAttributes/>
<ReadPermissions/>
<Synchronize/>
</grant>
----------------------------------------



On testing the enumeration, I simply perform
a bit-wise and ("&") for each of the values
within the enumerated list "FileSystemRights".


FileSystemAccessRule ^ rule

rule->FileSystemRights & ...
----------------------------------------
FileSystemRights::AppendData
FileSystemRights::ChangePermissions
FileSystemRights::CreateDirectories
FileSystemRights::CreateFiles
FileSystemRights::Delete
FileSystemRights::DeleteSubdirectoriesAndFiles
FileSystemRights::ExecuteFile
FileSystemRights::FullControl
FileSystemRights::ListDirectory
FileSystemRights::Modify
FileSystemRights::Read
FileSystemRights::ReadAndExecute
FileSystemRights::ReadAttributes
FileSystemRights::ReadData
FileSystemRights::ReadExtendedAttributes
FileSystemRights::ReadPermissions
FileSystemRights::Synchronize
FileSystemRights::TakeOwnership
FileSystemRights::Traverse
FileSystemRights::Write
FileSystemRights::WriteAttributes
FileSystemRights::WriteData
FileSystemRights::WriteExtendedAttributes
----------------------------------------

Obviously, it isn't as simple as that.


Examining the security settings with Windows Explorer
shows that only read access has been granted for the
given file (as was intended). There is something that
I am missing.


Can anyone clue me in?


Thanks!!!

Hi all;

I finally figured out what I was doing wrong.

When you test an attribute, you do not perform a bit-wise and comparison
- or, I should type, you don't stop with that.

After the bit-wise and comparison, you then compare the result back to the
attribute for the file being evaluated ("==") to determine if all of the bits are set.

I KNEW I was missing something, and I finally figured it out.

YAY ME! ;-)