Directory.SetAccessControl(String, DirectorySecurity) 方法

定義

DirectorySecurity 物件描述的存取控制清單 (ACL) 項目套用至指定的目錄。Applies access control list (ACL) entries described by a DirectorySecurity object to the specified directory.

public:
 static void SetAccessControl(System::String ^ path, System::Security::AccessControl::DirectorySecurity ^ directorySecurity);
public static void SetAccessControl (string path, System.Security.AccessControl.DirectorySecurity directorySecurity);
static member SetAccessControl : string * System.Security.AccessControl.DirectorySecurity -> unit

參數

path
String

要加入或從中移除存取控制清單 (ACL) 項目的目錄。A directory to add or remove access control list (ACL) entries from.

directorySecurity
DirectorySecurity

DirectorySecurity 物件,描述要套用至 path 參數所描述之目錄的 ACL 項目。A DirectorySecurity object that describes an ACL entry to apply to the directory described by the path parameter.

例外狀況

directorySecurity 參數為 nullThe directorySecurity parameter is null.

找不到此目錄。The directory could not be found.

path 無效。The path was invalid.

目前的處理序無法存取 path 所指定的目錄。The current process does not have access to the directory specified by path.

-或--or- 目前的處理序沒有足夠的權限可設定 ACL 項目。The current process does not have sufficient privilege to set the ACL entry.

目前的作業系統不是 Windows 2000 或更新版本。The current operating system is not Windows 2000 or later.

範例

下列範例會使用 GetAccessControlSetAccessControl 方法來新增存取控制清單(ACL)專案,然後從目錄中移除 ACL 專案。The following example uses the GetAccessControl and the SetAccessControl methods to add an access control list (ACL) entry and then remove an ACL entry from a directory. 您必須提供有效的使用者或群組帳戶,才能執行這個範例。You must supply a valid user or group account to run this example.

using namespace System;
using namespace System::IO;
using namespace System::Security::AccessControl;

// Adds an ACL entry on the specified directory for the
// specified account.
void AddDirectorySecurity(String^ directoryName, String^ account, 
     FileSystemRights rights, AccessControlType controlType)
{
    // Create a new DirectoryInfo object.
    DirectoryInfo^ dInfo = gcnew DirectoryInfo(directoryName);

    // Get a DirectorySecurity object that represents the
    // current security settings.
    DirectorySecurity^ dSecurity = dInfo->GetAccessControl();

    // Add the FileSystemAccessRule to the security settings.
    dSecurity->AddAccessRule( gcnew FileSystemAccessRule(account,
        rights, controlType));

    // Set the new access settings.
    dInfo->SetAccessControl(dSecurity);
}

// Removes an ACL entry on the specified directory for the
// specified account.
void RemoveDirectorySecurity(String^ directoryName, String^ account,
     FileSystemRights rights, AccessControlType controlType)
{
    // Create a new DirectoryInfo object.
    DirectoryInfo^ dInfo = gcnew DirectoryInfo(directoryName);

    // Get a DirectorySecurity object that represents the
    // current security settings.
    DirectorySecurity^ dSecurity = dInfo->GetAccessControl();

    // Add the FileSystemAccessRule to the security settings.
    dSecurity->RemoveAccessRule(gcnew FileSystemAccessRule(account,
        rights, controlType));

    // Set the new access settings.
    dInfo->SetAccessControl(dSecurity);
}    

int main()
{
    String^ directoryName = "TestDirectory";
    String^ accountName = "MYDOMAIN\\MyAccount";
    if (!Directory::Exists(directoryName))
    {
        Console::WriteLine("The directory {0} could not be found.", 
            directoryName);
        return 0;
    }
    try
    {
        Console::WriteLine("Adding access control entry for {0}",
            directoryName);

        // Add the access control entry to the directory.
        AddDirectorySecurity(directoryName, accountName,
            FileSystemRights::ReadData, AccessControlType::Allow);

        Console::WriteLine("Removing access control entry from {0}",
            directoryName);

        // Remove the access control entry from the directory.
        RemoveDirectorySecurity(directoryName, accountName, 
            FileSystemRights::ReadData, AccessControlType::Allow);

        Console::WriteLine("Done.");
    }
    catch (UnauthorizedAccessException^)
    {
        Console::WriteLine("You are not authorised to carry" +
            " out this procedure.");
    }
    catch (System::Security::Principal::
        IdentityNotMappedException^)
    {
        Console::WriteLine("The account {0} could not be found.", accountName);
    }
}

using System;
using System.IO;
using System.Security.AccessControl;

namespace FileSystemExample
{
    class DirectoryExample
    {
        public static void Main()
        {
            try
            {
                string DirectoryName = "TestDirectory";

                Console.WriteLine("Adding access control entry for " + DirectoryName);

                // Add the access control entry to the directory.
                AddDirectorySecurity(DirectoryName, @"MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow);

                Console.WriteLine("Removing access control entry from " + DirectoryName);

                // Remove the access control entry from the directory.
                RemoveDirectorySecurity(DirectoryName, @"MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow);

                Console.WriteLine("Done.");
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }

            Console.ReadLine();
        }

        // Adds an ACL entry on the specified directory for the specified account.
        public static void AddDirectorySecurity(string FileName, string Account, FileSystemRights Rights, AccessControlType ControlType)
        {
            // Create a new DirectoryInfo object.
            DirectoryInfo dInfo = new DirectoryInfo(FileName);

            // Get a DirectorySecurity object that represents the 
            // current security settings.
            DirectorySecurity dSecurity = dInfo.GetAccessControl();

            // Add the FileSystemAccessRule to the security settings. 
            dSecurity.AddAccessRule(new FileSystemAccessRule(Account,
                                                            Rights,
                                                            ControlType));

            // Set the new access settings.
            dInfo.SetAccessControl(dSecurity);

        }

        // Removes an ACL entry on the specified directory for the specified account.
        public static void RemoveDirectorySecurity(string FileName, string Account, FileSystemRights Rights, AccessControlType ControlType)
        {
            // Create a new DirectoryInfo object.
            DirectoryInfo dInfo = new DirectoryInfo(FileName);

            // Get a DirectorySecurity object that represents the 
            // current security settings.
            DirectorySecurity dSecurity = dInfo.GetAccessControl();

            // Add the FileSystemAccessRule to the security settings. 
            dSecurity.RemoveAccessRule(new FileSystemAccessRule(Account,
                                                            Rights,
                                                            ControlType));

            // Set the new access settings.
            dInfo.SetAccessControl(dSecurity);

        }
    }
}

Imports System.IO
Imports System.Security.AccessControl



Module DirectoryExample

    Sub Main()
        Try
            Dim DirectoryName As String = "TestDirectory"

            Console.WriteLine("Adding access control entry for " + DirectoryName)

            ' Add the access control entry to the directory.
            AddDirectorySecurity(DirectoryName, "MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow)

            Console.WriteLine("Removing access control entry from " + DirectoryName)

            ' Remove the access control entry from the directory.
            RemoveDirectorySecurity(DirectoryName, "MYDOMAIN\MyAccount", FileSystemRights.ReadData, AccessControlType.Allow)

            Console.WriteLine("Done.")
        Catch e As Exception
            Console.WriteLine(e)
        End Try

        Console.ReadLine()

    End Sub


    ' Adds an ACL entry on the specified directory for the specified account.
    Sub AddDirectorySecurity(ByVal FileName As String, ByVal Account As String, ByVal Rights As FileSystemRights, ByVal ControlType As AccessControlType)
        ' Create a new DirectoryInfoobject.
        Dim dInfo As New DirectoryInfo(FileName)

        ' Get a DirectorySecurity object that represents the 
        ' current security settings.
        Dim dSecurity As DirectorySecurity = dInfo.GetAccessControl()

        ' Add the FileSystemAccessRule to the security settings. 
        dSecurity.AddAccessRule(New FileSystemAccessRule(Account, Rights, ControlType))

        ' Set the new access settings.
        dInfo.SetAccessControl(dSecurity)

    End Sub


    ' Removes an ACL entry on the specified directory for the specified account.
    Sub RemoveDirectorySecurity(ByVal FileName As String, ByVal Account As String, ByVal Rights As FileSystemRights, ByVal ControlType As AccessControlType)
        ' Create a new DirectoryInfo object.
        Dim dInfo As New DirectoryInfo(FileName)

        ' Get a DirectorySecurity object that represents the 
        ' current security settings.
        Dim dSecurity As DirectorySecurity = dInfo.GetAccessControl()

        ' Add the FileSystemAccessRule to the security settings. 
        dSecurity.RemoveAccessRule(New FileSystemAccessRule(Account, Rights, ControlType))

        ' Set the new access settings.
        dInfo.SetAccessControl(dSecurity)

    End Sub
End Module

備註

SetAccessControl 方法會將存取控制清單(ACL)專案套用至代表 noninherited ACL 清單的檔案。The SetAccessControl method applies access control list (ACL) entries to a file that represents the noninherited ACL list.

警告

directorySecurity 參數指定的 ACL 會取代目錄的現有 ACL。The ACL specified for the directorySecurity parameter replaces the existing ACL for the directory. 若要加入新使用者的許可權,請使用 GetAccessControl 方法來取得現有的 ACL 並加以修改。To add permissions for a new user, use the GetAccessControl method to obtain the existing ACL and modify it.

ACL 會描述在指定檔案或目錄上,擁有或不具有特定動作之許可權的個人和/或群組。An ACL describes individuals and/or groups who have, or do not have, rights to specific actions on the given file or directory. 如需詳細資訊,請參閱如何:新增或移除存取控制清單項目For more information, see How to: Add or Remove Access Control List Entries.

SetAccessControl 方法只會保存在物件建立之後修改過的 DirectorySecurity 物件。The SetAccessControl method persists only DirectorySecurity objects that have been modified after object creation. 如果尚未修改 DirectorySecurity 物件,則不會將它保存在檔案中。If a DirectorySecurity object has not been modified, it will not be persisted to a file. 因此,您無法從某個檔案抓取 DirectorySecurity 物件,並將相同的物件重新套用至另一個檔案。Therefore, it is not possible to retrieve a DirectorySecurity object from one file and reapply the same object to another file.

若要將 ACL 資訊從一個檔案複製到另一個檔案:To copy ACL information from one file to another:

  1. 使用 GetAccessControl 方法,從原始檔中取出 DirectorySecurity 物件。Use the GetAccessControl method to retrieve the DirectorySecurity object from the source file.

  2. 為目的地檔案建立新的 DirectorySecurity 物件。Create a new DirectorySecurity object for the destination file.

  3. 使用來源 DirectorySecurity 物件的 GetSecurityDescriptorBinaryFormGetSecurityDescriptorSddlForm 方法,來抓取 ACL 資訊。Use the GetSecurityDescriptorBinaryForm or GetSecurityDescriptorSddlForm method of the source DirectorySecurity object to retrieve the ACL information.

  4. 使用 SetSecurityDescriptorBinaryFormSetSecurityDescriptorSddlForm 方法,將步驟3中所抓取的資訊複製到目的地 DirectorySecurity 物件。Use the SetSecurityDescriptorBinaryForm or SetSecurityDescriptorSddlForm method to copy the information retrieved in step 3 to the destination DirectorySecurity object.

  5. 使用 SetAccessControl 方法,將目的地 DirectorySecurity 物件設定為目的地檔案。Set the destination DirectorySecurity object to the destination file using the SetAccessControl method.

在 NTFS 環境中,如果使用者擁有父資料夾的 ListDirectory 許可權,ReadAttributesReadExtendedAttributes 就會授與使用者。In NTFS environments, ReadAttributes and ReadExtendedAttributes are granted to the user if the user has ListDirectory rights on the parent folder. 若要拒絕 ReadAttributesReadExtendedAttributes,請拒絕父目錄的 ListDirectoryTo deny ReadAttributes and ReadExtendedAttributes, deny ListDirectory on the parent directory.

安全性

FileIOPermission
用於列舉目錄存取控制清單(ACL)的許可權。for permission to enumerate access control list (ACL) for a directory. 相關聯的列舉: NoAccessViewAssociated enumerations: NoAccess , View 安全性動作:需.Security action: Demand.

適用於

另請參閱