0

I'm busy with a project where you can manage folder permissions of a shared drive from a portal (ASP.NET website). Is there any fast way to find specific permissions of a user in a folder structure? I Have a C#.NET service running on the file server.

This is what i try to archive:

Folder Structure:

RootFolder -> TestUser has special permission so user can navigate to Folder1
    -> Folder 1 --> TestUser has Read (local)
        -> Folder 1.1 --> TestUser has Read (inherited)
            -> Folder 1.1.1 --> TestUser has Read (local)

Now i remove TestUser from Folder 1, but when this happens i need to know if TestUser has permissions on a folder somewhere down in the structure and if this is the case i need to give Folder 1 AND Folder 1.1 special permissions so the user can navigate to Folder 1.1.1.

I have the complete folder structure and permissions in a database but only the read/write permissions not the special permissions (that give the user right to see a folder so he/she can navigate to a folder with read/write permissions). Now it would be great if I can do a quick search in the folder structure so see if the user has some permissions so I can clean up/add special permissions for the user (so user can navigate to all folder where he/she has read/write permissions).

I tried going trough the folder structure with Directory.GetDirectories(fullPath) and then for each directory the dir.GetAccessRules() method but this is very slow with big folder structures (10.000 folders).

I hope the question is clear and any suggestions would be appreciated!

Ondrej Janacek
  • 12,486
  • 14
  • 59
  • 93
Marco Haar
  • 21
  • 1
  • 2
  • 5
  • first of all, there's a huge overhead when doing this in .net. When you get the access rules, what type do you provide for targetType? In case you don't use SecurityIdentifier, i suggest you do so. Using NTAccount as targetType comes along with time consuming name resolution (SID to account name). Second, did you ever tried to do it multi-threaded? Third, maintaining a proper provisioning it is better to just grant the various permissions on the first directory level of the share and use full inheritance from this point on. Any subfolder doesn't have any new ACEs in the ACL. – AcidJunkie Mar 14 '14 at 08:22
  • Please, do not include information about a language used in a question title unless it wouldn't make sense without it. Tags serve this purpose. – Ondrej Janacek Mar 14 '14 at 08:32
  • @AcidJunkie I use the following code to get the accessrules: DirectorySecurity accessControlList = Directory.GetAccessControl(FullPath); AuthorizationRuleCollection accessRules = accessControlList.GetAccessRules(true, false, typeof(System.Security.Principal.NTAccount)); – Marco Haar Mar 14 '14 at 08:41
  • okay. then do a performance comparison between `NTAccount` and `SecurityIdentifier`. When using SecurityIdentifier, you have get the SID of the desired user first and search for it in the ACL – AcidJunkie Mar 14 '14 at 08:43
  • @AcidJunkie Okay i will try that and let you know the outcome, thanks for the response!:) The service that is running is already multi-threaded by the way. There is also a FileSystemWatcher running to keep track of changes. The full inheritance i cannot work with because i cannot risk users seeing folders they shouldn't (project gets used by companies and it is not done for a normal user to see a management directory). – Marco Haar Mar 14 '14 at 08:51
  • @MarcoHaar Keep in mind, that the file system watcher only can monitor when your service is actually running. do you also do some "re-ACL-ing" meaning do you check from time to time if the permissions on the file system are set as they should? – AcidJunkie Mar 14 '14 at 09:28
  • @AcidJunkie Folders that are changed are copied to a Sync folder (including permissions) and if the service is stopped running i can check the differences between the folder structure and the Sync folder. The changes between that will be checked and corrected if needed. – Marco Haar Mar 14 '14 at 09:33
  • @AcidJunkie Thanks for the info, with SecurityIdentifier it is faster and precisely what i need (need to check for specific user)!:) – Marco Haar Mar 18 '14 at 15:13
  • @MarcoHaar ok. i'll post the answer so others can see the answer directly and of course, i'll get some points too :) – AcidJunkie Mar 18 '14 at 17:44

1 Answers1

0

try to use 

GetAccessRules(true, false, typeof(SecurityIdentifier))

and pre-translate your user account to SecurityIdentifier and search the access rule entries by this SID.

AcidJunkie
  • 1,878
  • 18
  • 21