Page 1 of 1

Set NTFS permissions for folder

Posted: Sun Jan 15, 2006 5:58 pm
by petergust
Hi!

I'm trying to add a new user for a folder':

Code: Select all

var
     ISecObj: ISecurityObject;
     IACLObj: Iacl;
begin

     ISecObj := FileSecurity( 'C:\Test\123' );

     IACLObj := ISecObj.DAcl;

     IACLObj.NewItem(Account('test'),0,atAllowed,[afSuccessfulAccess]);

     if IACLObj.Flush then
          ShowMessage('Fush OK!')
     else
          ShowMessage('Fush NOT OK!');
I get a Flush OK but the the user TEST is not added.

And what should I write to set Change permissions?

Folder and user exists on my system.



// Peter

Posted: Mon Jan 16, 2006 7:29 am
by madshi
What does "NewItem" return?

What is the sense of that ACE? I mean adding an item with 0 access rights sounds a bit strange to me!

Posted: Mon Jan 16, 2006 7:56 am
by petergust
madshi wrote:What does "NewItem" return?
The first time I run code it returns 4, then 5,6..
madshi wrote:What is the sense of that ACE? I mean adding an item with 0 access rights sounds a bit strange to me!
It what too late when I did this. When I change it to 1, the user is added
but I can't find anything about this value.

Help only say: IAce.Access : cardinal;

// Peter

Posted: Mon Jan 16, 2006 8:02 am
by madshi
I'd suggest using IACL.SetFileAccess. This makes it a lot easier for you. The access masks are quite complicated. There are multiple flags which must be ORed together to get proper "read" and "write" access. The method "SetFileAccess" encapsulates this kind of stuff for you.

Posted: Mon Jan 16, 2006 8:32 am
by petergust
madshi wrote:I'd suggest using IACL.SetFileAccess. This makes it a lot easier for you. The access masks are quite complicated. There are multiple flags which must be ORed together to get proper "read" and "write" access. The method "SetFileAccess" encapsulates this kind of stuff for you.
I tried that one, but it set to Full access and our users
should only have change permissions in homedirectory.

Do you have a more detailed description for the access masks?
I'm used to commandlines with many flags. :wink:

// Peter

Posted: Mon Jan 16, 2006 9:27 am
by madshi
Check out these links:

http://msdn.microsoft.com/library/defau ... s_mask.asp
http://msdn.microsoft.com/library/defau ... rights.asp

Another possibility would be to manually setup the ACL the way you want it and then use madSecurity to read out which access masks are contained in the ACL. Then you know the exact flag combination for what you want to achieve.

Posted: Mon Jan 16, 2006 10:47 am
by petergust
madshi wrote:Check out these links:

http://msdn.microsoft.com/library/defau ... s_mask.asp
http://msdn.microsoft.com/library/defau ... rights.asp

Another possibility would be to manually setup the ACL the way you want it and then use madSecurity to read out which access masks are contained in the ACL. Then you know the exact flag combination for what you want to achieve.
Thanks!

I used FindItem to locate a user, and the result I got for Change permission is 1245631, but when I add a new user with this
access mask the Apply Onto is set to This folder.

Is there anymore settings to change Apply Onto to This folder, subfolders and files?

If I manually set to This folder I get the same value, 1245631.

// Peter

Posted: Mon Jan 16, 2006 11:01 am
by madshi
You can try using the "afObjectInherit, afContainerInherit" flags. If that doesn't work, you might have to manually loop through the child objects... :shock:

Btw, I'd suggest using hexadecimal for the flags. That makes it much easier to see which flags are contained. That would be $1301BF.

Posted: Mon Jan 16, 2006 1:53 pm
by petergust
madshi wrote:You can try using the "afObjectInherit, afContainerInherit" flags. If that doesn't work, you might have to manually loop through the child objects... :shock:

Btw, I'd suggest using hexadecimal for the flags. That makes it much easier to see which flags are contained. That would be $1301BF.
I changed the flags and that did the trick! :D

Thanks for all help!

// Peter