I had to create a "Deny" ACE and also set the same permissions for the directory containing the file I do not want the user to delete. Also the permissions I selected prevent the user from modifying the directory contents (add or delete files). Added bonus, for me. Of course if the user has rights, the permission can be changed.
Code: Select all
procedure SetPermissions; //set so user cannot delete files.
var
s1:string;
iACLObj:Iacl;
iso:ISecurityObject;
begin
s1:=<the complete file name and path>;
iso:=FileSecurity(s1);
iso.ProtectedDAcl:=false;
iACLObj:=iso.DAcl;
iACLObj.Deallocate;
iACLObj.SetFileAccess(Everyone,false);
iACLObj.InsertItem(NewAce(Everyone, _DELETE, atDenied));
iACLObj.Flush;
s1:=ExtractFileDir(s1);
iso:=FileSecurity(s1);
iso.ProtectedDAcl:=false;
iACLObj:=iso.DAcl;
iACLObj.Deallocate;
iACLObj.SetFileAccess(Everyone,false);
iACLObj.InsertItem(NewAce(Everyone, _DELETE, atDenied));
iACLObj.Flush;
end;