|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Check Permission On File/Folder For a Given UserI am trying to determine if a given user has certain permission on a given file/folder. To do that I am getting the user SID (through WMI Win32_Account class) and then compare it with the SID in the list of ACE in DACL for the file/folder(using WMI Win32_LogicalFileSecuritySetting class). BUT I have a problem - There are instances when the user has access to the file/folder because he is part of a group and his SID in not in the list of ACEs in DACL, rather the SID of the group he belongs to. Instead of going through the groups the user is member of to compare the SID, is there any alternative way ? I am using C#. Thanks in advance for the help. Ajay Choudhary
Show quote
Hide quote
> I am trying to determine if a given user has certain permission on a given I have the exact same issue. If you figure it out, please post the solution> file/folder. > To do that I am getting the user SID (through WMI Win32_Account class) and > then compare it with the SID in the list of ACE in DACL for the > file/folder(using WMI Win32_LogicalFileSecuritySetting class). > > BUT I have a problem - There are instances when the user has access to the > file/folder because he is part of a group and his SID in not in the list of > ACEs in DACL, rather the SID of the group he belongs to. > > Instead of going through the groups the user is member of to compare the > SID, is there any alternative way ? > > I am using C#. here. I posted my issue on microsoft.public.dotnet.security, and someone suggested searching MSDN for an API call that starts with AccessCheck*
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/accesscheck.asp?frame=true
This is actually kind of hard to do as you can make the check, but the SD can actually change between the time you make the check and the time you try to access it. Simply accessing it and catching the exception is the easiest way to go. Note that AccessCheck also assumes you have a logon token for the user. Joe K. Show quoteHide quote "Chris" <anon> wrote in message news:4266aefb$0$5807$9a6e19ea@news.newshosting.com... >> I am trying to determine if a given user has certain permission on a >> given >> file/folder. >> To do that I am getting the user SID (through WMI Win32_Account class) >> and >> then compare it with the SID in the list of ACE in DACL for the >> file/folder(using WMI Win32_LogicalFileSecuritySetting class). >> >> BUT I have a problem - There are instances when the user has access to >> the >> file/folder because he is part of a group and his SID in not in the list > of >> ACEs in DACL, rather the SID of the group he belongs to. >> >> Instead of going through the groups the user is member of to compare the >> SID, is there any alternative way ? >> >> I am using C#. > > I have the exact same issue. If you figure it out, please post the > solution > here. > > I posted my issue on microsoft.public.dotnet.security, and someone > suggested > searching MSDN for an API call that starts with AccessCheck* > > > > > 
Other interesting topics
Logon user from service
Using HttpContext from a web server? Getting user ID from Web Service credentials Access to the path is denied: Assembly Permission Problem Parsing X.509 Digital Certificate newbie question ISO/IEC 9797-1 MAC Algorithm 3 how to? RSACryptoServiceProvider usage question How do I filter an Active Directory search to an OU (organizational unit)? code level / db security over network Help needed with TSL problem. |
|||||||||||||||||||||||
