Recipe 17.14. Granting/Revoking Access to a File or Registry KeyProblemYou need to change the security privileges of either a file or registry key programmatically. SolutionThe code shown in Example 17-17 grants and then revokes the ability to perform write actions on a registry key. Example 17-17. Granting and revoking the right to perform write actions on a registry key
The code shown in Example 17-18 grants and then revokes the ability to delete a file. Example 17-18. Granting and revoking the right to delete a file
DiscussionWhen granting or revoking access rights on a file or registry key, you need two things. The first is a valid NTAccount object. This object essentially encapsulates a user or group account. A valid NTAccount object is required in order to create either a new RegistryAccessRule or a new FileSystemAccessRule. The NTAccount identifies the user or group this access rule will apply to. Note that the string passed in to the NTAccount constructor must be changed to a valid user or group name that exists on your machine. If you pass in the name of an existing user or group account that has been disabled, an IdentityNotMappedException will be thrown with the message "Some or all identity references could not be translated." The second item that is needed is either a valid RegistryKey object, if you are modifying security access to a registry key or a string containing a valid path and filename to an existing file. These objects will have security permissions either granted to them or revoked from them. Once these two items have been obtained, you can use the second item to obtain a security object, which contains the list of access-rule objects. For example, the following code obtains the security object for the registry key HKEY-LOCAL_ MACHINE\SOFTWARE\MyCompany\MyApp: RegistryKey regKey = Registry.LocalMachine.OpenSubKey( @"SOFTWARE\MyCompany\MyApp"); RegistrySecurity regSecurity = regKey.GetAccessControl(); The following code obtains the security object for the FOO.TXT file: string file = @"c:\FOO.TXT"; FileSecurity fileSecurity = File.GetAccessControl(file); Now that you have your particular security object, you can create an access-rule object that will be added to this security object. To do this, you need to create a new access rule. For a registry key, you have to create a new RegistryAccessRule object, and for a file, you have to create a new FileSystemAccessRule object. To add this access rule to the correct security object, you call the SetAccessControl method on the security object. Note that RegistryAccessRule objects can be added only to RegistrySecurity objects and FileSystemAccessRule objects can be added only to FileSecurity objects. To remove an access-rule object from a system object, you follow the same set of steps, except that you call the RemoveAccessRuleSpecific method instead of AddAccessRule. RemoveAccessRuleSpecific accepts an access-rule object and attempts to remove the rule that exactly matches this rule object from the security object. As always, you must remember to call the SetAccessControl method to apply any changes to the actual system object. For a list of other classes that allow security permissions to be modified programmatically, see Recipe 17.13. See AlsoSee Recipe 17.13; see the "System.IO.File.GetAccessControl Method," "System.Security.AccessControl.FileSecurity Class," "System.Security.AccessControl.FileSystemAccessRule Class," "Microsoft.Win32.RegistryKey.GetAccessControl Method," "System.Security.AccessControl.RegistrySecurity Class," and "System.Security.AccessControl.RegistryAccessRule Class" topics in the MSDN documentation. |