How to implement Security in .Net?

Question

I have a security descriptor for an object. I want to get users and groups having permission on that object using that security descriptor. How to know which users are having what permissions using that security descriptor? Is it possible using ObjectSecurity or CommonObjectSecurity abstract classes? If so how to define access rules? Is there any working sample on this?

Answer 1

To access users and groups with their permissions, in .Net we have an easy mechanism. Implement CommonObjectSecurity class which is an abstract class and override the methods AccessRuleFactory and AuditRuleFactory and also override the properties AccessRuleType and AuditRuleType . In the following example a SampleSecurity Class is derived from CommonObjectSecurity . We also define class SampleAccessRule from AccessRule . We can optionally implement AddAccessRule and RemoveAccessRule to modify the security.

public class SampleSecurity : CommonObjectSecurity
{
    public SampleSecurity(bool isContainer)
        : base(isContainer)
    {
    }

    public override AccessRule AccessRuleFactory(IdentityReference identityReference, 
        int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, 
        PropagationFlags propagationFlags, AccessControlType type)
    {
        return new SampleAccessRule(identityReference, accessMask, type);
    }

    public void AddAccessRule(IdentityReference identityReference, 
        int accessMask, AccessControlType type)
    {
        base.AddAccessRule(new SampleAccessRule(identityReference, accessMask, type));
    }

    public void RemoveAccessRule(SampleAccessRule rule)
    {
        base.RemoveAccessRule(rule);
    }

    public override Type AccessRuleType
    {
        get { return typeof(SampleAccessRule); }
    }

    public override AuditRule AuditRuleFactory(System.Security.Principal.IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags)
    {
        throw new NotImplementedException();
    }

    public override Type AuditRuleType
    {
        get { throw new NotImplementedException(); }
    }

    public override Type AccessRightType
    {
        get { return typeof(SampleRightsEnum); }
    }
}

public class SampleAccessRule : AccessRule
{
    public SampleAccessRule(IdentityReference identity, int accessMask, AccessControlType accessType)
        : base(identity, accessMask, false, InheritanceFlags.None, PropagationFlags.None, accessType)
    {
    }

    public int AccessRights { get { return AccessMask; } }
}

public enum SampleRightsEnum
{
    sampleRead = 0x001,
    sampleWrite = 0x002,
    sampleExecute = 0x004
}

Once this is defined, we can create an object of SampleSecurity and assign it the security descriptor, from which we can read the permissions for different users as listed below.

SampleSecurity security = new SampleSecurity(false);
security.SetSecurityDescriptorBinaryForm((byte[])securityDescriptor, AccessControlSections.All);
AuthorizationRuleCollection coll = dataSecurity.GetAccessRules(true, false, typeof(NTAccount));
foreach (AuthorizationRule rule in coll)
{
    SampleAccessRule accRule = rule as SampleAccessRule;
    SampleRightsEnum rights = (SampleRightsEnum)accRule.AccessRights;
    Console.Writeline("User or Group {0} having the permissions {1} with access type {2}", rule.IdentityReference.Value, rights.ToString(), accRule.AccessControlType.ToString());
}