ACL and Discover Permissions
Can someone give me some advice regarding the removal of Discover permissions - it doesn't seem to work as I would expect it to.
My requirement is quite simple. Out of the box I am attempting to enable a folder only to be seen/accesible by a one set of users and not be visible by all others. In order to do this I have done the following:
Created a group containing the users to are to see the folder('Secure Users').
Created a ACL that has 'Secure Users' at the bottom of the list (grant all) and above it 'World' (revoke all).
Applied ACL to the appropriate folder.
However when I log in (thru WEBUI) using 'normal' user (not in Secure Users group) I can still see the folder. When I click on it I get the following error:
'java.lang.Exception: The Folder you specified does not exist'.
I was under the impression that the 'ALL' permission bundle contained 'Discover' permissions. I actually want to make this folder invisible to all users that are not in the Secure Users group. Is this possible?
Thanks
Chris
Essentially Posix permssions are old and limited to three people: an owner, a group, and "everyone else". For each of these you have the option to set combinations of "read", "write", or "execute". Ultimately this is very limited, and ACLs expand on this with a vast array of possibilities (too many to list here). One example, though, is that ACLs would allow you to create only files within a specific directory and not create folders, whereas Posix permissions do not allow for this specification. You can also set these for multiple groups and multiple owners with ACLs, and also have numerous inheritance options for directory trees so files and folders within hierarchies get specific permissions properties when they are created.
Similar Messages
-
Need help with ACLs and propagating permissions
I'm currently setting up our new server, for which we're moving away from Windows entirely (both on the server and user workstation ends), and I'm currently having some questions about permissions. I've been scouring the OS X Server Advanced Admin pdf, but there are numerous holes in the exposition of permissions from the ACLs down to the proper way to propagate permissions when a manual touch is required. What I'm trying to do is allow one group to have read access only until they get to a certain subdirectory, at which point they can then write to that level; then for the second group, they only need read access for a specific folder down the line from the starting directory. I'll include some example images with a test folder I've created so that it may be a little easier to understand what my goals are with the Server app's permissions. Thank you in advance for all your help.
You need the advanced permissions editor. You are trying to convert inherited permissions to explicit. If I understand what you want, you would go about it like this.
You have two groups; GroupA and GroupB. GroupA is the limited group. You want them to be able to read everything and write to limited locations. GroupB can read and write everywhere. So based on your example, you would do this to start:
At the parent folder level, you are defining GroupA to be able to read and GroupB to read and write.
Now to drill down. In Server.app select your server. This is the first item in the side bar. On the right, choose Storage. Drill down to where your shared folder is located and select it. From the Gear menu, chose Edit Permissions as shown here:
You will note that GroupA and GroupB are both gray. This denotes that they are inherited entries at this level. You must break the inheritance and start over. To do this, press the small gear icon on the edit permissions sheet and choose "Make Inherited Entries Explicit." GroupA and GroupB will turn black, allowing you to edit them. Change GroupA from Read to Read Write. Press OK to close the sheet.
Now, if you already have data inside the folder, you can use the large gear menu and choose Propagate Permissions. This will ensure that your data will reset with the new ACL.
Reid
Apple Consultants Network
Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store -
EJB ACLs and permissions, help needed urgently
Hello,
I am using WL6.1. I need to use weblogic.security.acl.Security.checkPermission
to check if a user has permission to acess an EJB method. I know one can call
the method and check the exception to see yes or no. But that requires knowing
the method signature (parameters and return types etc.).
I read the documentation and here is what I got:
ACLs and permissions for WebLogic EJBs differ from ACLs and permissions for other
kinds of WebLogic Server resources in the following ways:
1. EJB ACLs are configured in the access control properties of the EJB's deployment
descriptor.
2. Permissions are granted on individual methods of a bean; there are no predefined
permissions.
3. Permissions on EJBs are granted to Roles, which map to groups in WebLogic Server.
So if I read it correctly:
1. One does not need to use WL console to configure EJB ACLs? If otherwise, how
do we do it?. There is no documentation for it.
2. What is the ACLName to use when I call the method weblogic.security.acl.Security.checkPermission(java.security.Principal
principal, java.lang.String aclName,
java.security.acl.Permission permission,
char sep)?
I tried with JNDI name and EJB name and nothing seems to work.
Can anyone help me out?
Thanks.
Ling WangIt all depends on where do you want to keep your ACLs and the rest of security.
Simplest will be fileRealm, but it has limited capability (10k ACLs I recall).
You do not heed console to set it up. Here is an excert from ACL file:
acl.read.OT_INTEGRATIONOBJREF=everyone
acl.read.OT_ORGTRANSPORT=OrgAdmin,AppAdmin
acl.read.OT_ORGUNITOFMEASURE=OrgAdmin,AppAdmin
# from nonWorkflowEvents.template
acl.execute.ET_QUERY=everyone
acl.execute.ET_BATCH=everyone
read/execute is action. Caps keep resource (name). On the right hand is a list
of roles. The security call will be lokking like:
boolean result = Security.hasPermission("ET_BATCH",
new PermissionImpl("read"), '.');
It does not throw, just returns a boolean.
Now, this is all about programmatic security. If you are up to declarative, you
need to assign role names to method names in deployment descriptor of your bean
and map them to actual roles.
Also you may have problems while asking security question about another principal
(nto the one currently logged in). Not that it does not work -- just needs caution.
Hope it helps.
"Ling Wang" <[email protected]> wrote:
>
Hello,
I am using WL6.1. I need to use weblogic.security.acl.Security.checkPermission
to check if a user has permission to acess an EJB method. I know one
can call
the method and check the exception to see yes or no. But that requires
knowing
the method signature (parameters and return types etc.).
I read the documentation and here is what I got:
ACLs and permissions for WebLogic EJBs differ from ACLs and permissions
for other
kinds of WebLogic Server resources in the following ways:
1. EJB ACLs are configured in the access control properties of the EJB's
deployment
descriptor.
2. Permissions are granted on individual methods of a bean; there are
no predefined
permissions.
3. Permissions on EJBs are granted to Roles, which map to groups in WebLogic
Server.
So if I read it correctly:
1. One does not need to use WL console to configure EJB ACLs? If otherwise,
how
do we do it?. There is no documentation for it.
2. What is the ACLName to use when I call the method weblogic.security.acl.Security.checkPermission(java.security.Principal
principal, java.lang.String aclName,
java.security.acl.Permission permission,
char sep)?
I tried with JNDI name and EJB name and nothing seems to work.
Can anyone help me out?
Thanks.
Ling Wang -
File and folder permissions for specific AD groups
Having a special folder over multiple servers that certain user groups can access with specific permissions I'd like to audit the security mappings using get-acl commandlet. It's easy for a single folder but I would need subfolders and files too. I know
I can assign a variable say $object = dir c:\MyShare -recurse and then would need to somehow pipe each object to get-acl and filter for the AD groups I'm interested in. Ideally if the results were then passed on to csv. Can someone help with getting
this to work?
yaroHi Yaro,
I checked your script, and found you haven't defined the variable $folder before use, please refer to the script below:
$folders = dir D:\TEST1 -recurse | where {$_.psiscontainer -eq $true}
foreach($folder IN $folders){
$folder|Get-Acl | Select-Object -ExpandProperty Access | where {$_.identityreference -match "sys|Adm"}
Get-Acl $folder.fullname | Select-Object -ExpandProperty Access | where {$_.identityreference -match "sys|Adm"} |
Select-Object @{n="object";e={ $folder.fullname }},
@{n="security_principal";e={ $_.identityreference }},
@{n="type";e={ $_.accesscontroltype }},
@{n="rights";e={ $_.filesystemrights }}
And to list the nested groups on local computer, please check this function writed by Boe Prox, which will also list the property "isGroup":
Get-LocalGroupMembership
If there is anything else regarding this issue, please feel free to post back.
Best Regards,
Anna Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
I have xSAN FS with enabled ACLs and OD.
If i create ACL for existing folders and assign groupe(A) permissions to it. Rules work perfect. But only for usesr in this group (A) which was added before ACL was assigned.
If i create new OD user and add it into group A after ACLs was configured. User have no group permisions to this folder.
Anybody meet this issue?So do you want to have this new server running alongside the old one - or set up the new server for a subset of users and then decommission the SL server? If alongside, is it for redundancy or to provide a sperate set of services for a subset of users?
If alongside for redundancy, thne it makse sense to let it use the existing OD.
If it's for one of the other purposes, you'll need to:
1. Set the new server up in islation from the old one (this allows you to create a new OD master)
2. Configure services
3. If you need to copy/move user data from the SL server, you'll have to take services on the SL server offline for the time it takes to copy/move. -
I created a new extended named ACL and enter a few ACEs numbered 10,20,30,100,110,1000 to give them plenty of space apart. When I reload the switch, the numbering has disappeared and they are all spaced 10 apart. Why does this happen and is there a way to maintain larger spaces? I am thinking that in time I may come to make many modifications to the ACL and the gap between two entries may reduce to nothing. I am not going to reload my switch just to reset the gaps and I would rather not remove the ACL completely and replace it to achieve the same.
thanks for any advice
ChrisThe ACL is stored in RAM initially. When you display your access-list for instance you see the seqeunce numbers. When you display your're running configuration you don't see them.
Are you using ip access-list or the traditional access-list?
ip access-list extended Popey
10 permit ip host 10.10.10.10 any
100 permit ip 10.10.20.0 0.0.0.255 any
1000 deny ip any any -
How to view hidden user files and reset permissions
I am having difficulties getting the hidden files to appear first of all. I have tried a couple of different things that have been suggested in other posts. And I would really like a point in the right direction to find information on resetting permissions. Thanks in advance for any help.
To view hidden files, I use a third party program called Desktop Utility, takes only a few seconds to activate and have them shown. Quick and easy.
http://sweetpproductions.com/
Resetting Permissions info and How TO;
http://osxdaily.com/2011/11/15/repair-user-permissions-in-mac-os-x-lion/
When you use the Disk Utility app and Repair Permissions — it doesn’t actually repair the permission settings on folders and files in your Home folder where your documents and personal applications reside.
There is an additional Repair Permissions application utility hidden away. This tool is located inside boot Repair Utilities. Here’s how to access it.
Restart Lion and hold down the Command and R keys.
You will boot into the Repair Utilities screen. On top, in the Menu Bar click the Utilities item then select Terminal.
In the Terminal window, type resetpassword and hit Return.
The Password reset utility launches, but you’re not going to reset the password. Instead, click on the icon for your Mac’s hard drive at the top. From the drop-down below it, select the user account where you are having issues.
At the bottom of the window, you’ll see an area labeled ‘Reset Home Directory Permissions and ACLs’. Click the Reset button there. -
Possible to automatize the creation of ACL and subfolders in KM ?
Hi,
I would like to create following folder structure
/root
/subfolder elec/
/subfolder user1/
/subfolder user2/
/subfolder documents/
/subfolder LMS/
Subfolder user 1 : only user1 may have autorisations to this folder.
Subfolerd user 2 : only user2 may have autorisations to this folder
I can manage this autorisations by creating an ACL map -> details -> settings -> permissions
This is a good solution if therer were only a few subfolders to manage but I have to create +/- 9000 subfolders, for every user his own subfolder.
Does anybody knows if you there is a possibility to automatize the creation of those ACL and also the creation of the subfolder ?
Kind regards
Pascale ThysHi Pascale!
Here is a static method to create directories and provide them with permissions. It takes a resource residing in a directory called and creates new sub dirs for every iso language in the array languages. Then it copies the source resource into those new sub dirs.
It has everything you need to know about creation of dirs and files in km via API. Just adapt it to your needs.
private static void createLanguages(
IResource resource,
String[] languages)
throws ResourceException, WcmException {
// iterate through languages and create copies of the original document
// pattern is "com.xxx.<foldername><n>_<language id> with n >= 0
// Folder of newly created document
ICollection sourceDir = resource.getParentCollection();
RID sourceDirRID = sourceDir.getRID();
// Name (plus extension) of document
RID resourceRIDName = resource.getRID().name();
// Name of parent folder
RID sourceDirRIDName = sourceDirRID.name();
// source directory of new resource without language shortcut
String sourceDirRIDNameBase =
sourceDirRIDName.toString().substring(
0,
sourceDirRIDName.toString().length() - 2);
ICopyParameter copyParams = new CopyParameter();
RID destination = null;
for (int i = 0; i < languages.length; i++) {
String newDir = sourceDirRIDNameBase + languages<i>;
destination =
sourceDirRID.parent().addPathSegment(
sourceDirRIDNameBase + languages<i>);
// Create language dependend directory parallel to original, if not existing
ICollection newCollection = null;
try {
newCollection =
sourceDir.getParentCollection().createCollection(
newDir,
null);
} catch (NameAlreadyExistsException e) {
logger.info(
"directory "
+ newDir
+ " already exists.");
// Even if directory exists, add permissions
try {
if (newCollection == null) {
IResourceFactory resourceFactory =
ResourceFactory.getInstance();
newCollection =
(ICollection) resourceFactory.getResource(
destination,
sourceDir.getParentCollection().getContext());
newCollection.setProperty(
Property.createDisplaynameProp(
destination.name().toString()));
// Setting ACLs on newly created directory
ISecurityManager sm =
newCollection.getRepositoryManager().getSecurityManager(
newCollection);
if (sm != null && sm instanceof IAclSecurityManager) {
IAclSecurityManager asm = (IAclSecurityManager) sm;
IResourceAclManager ram = asm.getAclManager();
// Inheritance has to be broken to include new permissions
// Get a copy parent ACL
IResourceAcl ra = ram.getAcl(newCollection);
if (ra == null) {
ra = ram.getInheritedAcl(newCollection);
// Still no acl found? Permissions cannot be set
if (ra == null) {
logger.severe(
" - no ACL found for "
+ newCollection
+ " no permission has been set!");
} else {
// Remove old ACL
ram.removeAcl(newCollection);
// create new ACL for current directory
IResourceAcl raNew = ram.createAcl(newCollection);
// Copy all acl entries from inherited acl to new acl
IResourceAclEntryList rel = ra.getEntries();
IResourceAclEntryListIterator it = rel.iterator();
IResourceAclEntry aclEntry = null;
while (it.hasNext()) {
aclEntry = it.next();
raNew.addEntry(aclEntry);
IUMPrincipal allCountriesPrincipal =
WPUMFactory.getGroupFactory().getGroup(
"XXX_EDITOR_"
+ "ALL");
// Editor for specific country
IUMPrincipal thisCountryPrincipal =
WPUMFactory.getGroupFactory().getGroup(
"XXX_EDITOR_"
+ languages<i>.toUpperCase());
raNew.addEntry(
ram.createAclEntry(
allCountriesPrincipal,
false,
ram.getPermission(
IAclPermission.ACL_PERMISSION_READ),
0));
raNew.addEntry(
ram.createAclEntry(
thisCountryPrincipal,
false,
ram.getPermission(
IAclPermission.ACL_PERMISSION_READWRITE),
0));
// Now copy permission owners
IUMPrincipalList permissionOwners = ra.getOwners();
IUMPrincipalListIterator permissionOwnersIt = permissionOwners.iterator();
IUMPrincipal principal = null;
while (permissionOwnersIt.hasNext()) {
principal = permissionOwnersIt.next();
raNew.addOwner(principal);
} catch (AclPersistenceException e) {
logger.severe(
"I raised an AclPersistenceException @"
+ (new Date()).toString()
+ ": "
+ LoggingFormatter.extractCallstack(e));
} catch (ResourceException e) {
logger.severe(
"I raised a ResourceException @"
+ (new Date()).toString()
+ ": "
+ LoggingFormatter.extractCallstack(e));
} catch (NotAuthorizedException e) {
logger.severe(
"I raised a NotAuthorizedException @"
+ (new Date()).toString()
+ ": "
+ e.getMessage()
+ "**"
+ LoggingFormatter.extractCallstack(e));
// } catch (AclExistsException e) {
// logger.severe(
// "I raised an AclExistsException @"
// + (new Date()).toString()
// + ": "
// + LoggingFormatter.extractCallstack(e));
} catch (UserManagementException e) {
logger.severe(
"I raised a UserManagementException @"
+ (new Date()).toString()
+ ": "
+ LoggingFormatter.extractCallstack(e));
} catch (InvalidClassException e) {
logger.severe(
"I raised an InvalidClassException @"
+ (new Date()).toString()
+ ": "
+ LoggingFormatter.extractCallstack(e));
} catch (AlreadyAssignedToAclException e) {
logger.severe(
"I raised an AlreadyAssignedToAclException @"
+ (new Date()).toString()
+ ": "
+ LoggingFormatter.extractCallstack(e));
} catch (PermissionNotSupportedException e) {
logger.severe(
"I raised a PermissionNotSupportedException @"
+ (new Date()).toString()
+ ": "
+ LoggingFormatter.extractCallstack(e));
destination = destination.add(resourceRIDName);
try {
IResource newResouce = resource.copy(destination, copyParams);
} catch (NameAlreadyExistsException e) {
logger.info("file "
+ destination
+ " already exists.");
Imports needed:
import java.util.Date;
import com.sapportals.portal.prt.logger.ILogger;
import com.sapportals.portal.security.usermanagement.IUMPrincipal;
import com.sapportals.portal.security.usermanagement.UserManagementException;
import com.sapportals.wcm.WcmException;
import com.sapportals.wcm.repository.CopyParameter;
import com.sapportals.wcm.repository.ICollection;
import com.sapportals.wcm.repository.ICopyParameter;
import com.sapportals.wcm.repository.IResource;
import com.sapportals.wcm.repository.IResourceFactory;
import com.sapportals.wcm.repository.NameAlreadyExistsException;
import com.sapportals.wcm.repository.Property;
import com.sapportals.wcm.repository.ResourceException;
import com.sapportals.wcm.repository.ResourceFactory;
import com.sapportals.wcm.repository.manager.IAclSecurityManager;
import com.sapportals.wcm.repository.manager.ISecurityManager;
import com.sapportals.wcm.repository.security.IResourceAcl;
import com.sapportals.wcm.repository.security.IResourceAclEntry;
import com.sapportals.wcm.repository.security.IResourceAclEntryList;
import com.sapportals.wcm.repository.security.IResourceAclEntryListIterator;
import com.sapportals.wcm.repository.security.IResourceAclManager;
import com.sapportals.wcm.util.acl.AclPersistenceException;
import com.sapportals.wcm.util.acl.AlreadyAssignedToAclException;
import com.sapportals.wcm.util.acl.IAclPermission;
import com.sapportals.wcm.util.acl.IUMPrincipalList;
import com.sapportals.wcm.util.acl.IUMPrincipalListIterator;
import com.sapportals.wcm.util.acl.InvalidClassException;
import com.sapportals.wcm.util.acl.NotAuthorizedException;
import com.sapportals.wcm.util.acl.PermissionNotSupportedException;
import com.sapportals.wcm.util.logging.LoggingFormatter;
import com.sapportals.wcm.util.uri.RID;
import com.sapportals.wcm.util.usermanagement.WPUMFactory;
This is my .classpath variable for this projekt (for the necessary JARs):
<?xml version="1.0" encoding="UTF-8"?>
<classpath>
<classpathentry kind="src" path="src.api"></classpathentry>
<classpathentry kind="var" path="JRE_LIB" sourcepath="JRE_SRC"></classpathentry>
<classpathentry kind="src" path="src.core"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/prtapi.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/prttest.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/com.sap.portal.runtime.application.soap_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.tssap.ext.libs.j2ee_1.3.0/lib/activation.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.security_2.0.0/lib/com.sap.security.api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ext.libs.webservices_2.0.0/lib/jaxm-api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.tssap.ext.libs.j2ee_1.3.0/lib/mail.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ext.libs.webservices_2.0.0/lib/saaj-api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.tssap.sap.libs.xmltoolkit_2.0.0/lib/sapxmltoolkit.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.engine.webservices_2.0.0/lib/webservices_lib.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.crt_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/prtapi.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/logging.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.exception_2.0.0/lib/exception.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.common_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/com.sap.security.api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/com.sap.security.api.ep5.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.util.public_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.sf.framework_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.util_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.runtime_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.repository.service.serviceacl_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.mi_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.global.service.urlgenerator_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.global.service.urimapper_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.global.service.rtr_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.global.service.relation_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.global.service.pipeline_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.global.service.oth_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.global.service.notificator_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.global.service.mime_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.global.service.appproperties_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.rf.framework_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.util.kmmonitor_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.netweaver.bc.uwl.plugin_1.0.0/lib/bc.uwl.service.api_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.tc.ap_2.0.0/comp/CAF/DCs/sap.com/caf/api/_comp/gen/default/public/default/lib/java/sap.com~caf~eu~gp~api~default.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.tc.ap_2.0.0/comp/CAF/DCs/sap.com/caf/api/wd/_comp/gen/default/public/default/lib/java/sap.com~caf~eu~gp~api~wd~default.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/bc.wdf.ui.framework_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.base_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.enum_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.event_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.generic_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.util_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/com.sap.portal.htmlb_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.command_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.base_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.screenflow_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.uicommand_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.util_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/htmlb.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/com.sap.workflow.wcm_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.actioninbox_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.cachecontrol_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.checkout_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.collaboration_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.crawler_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.efp_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.expimp_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.ice_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.indexmanagement_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.propertyconfig_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.propertystructure_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.quickpoll_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.reporting_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.resourcefilter_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.resourcelistfilter_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.template_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.xcrawler_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.service.xmlforms_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.acl_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.actioninbox_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.applog_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.cache_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.classification_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.classificationtest_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.collaboration_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.config_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.crawler_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.crawlerindexmon_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.demo_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.edit_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.flex.collaboration_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.flex.collection_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.flex.component_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.flex.config_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.flex.control_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.flex.detailsoverview_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.flex.detailsproperties_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.flex.expimp_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.flex.property_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.flex.resource_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.flex.uicommand_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.ice_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.indexadmin_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.layout_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.navigation_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.oth_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.quickpoll_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.reporting_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.scheduler_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.search_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.security_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.settings_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.statemanagement_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.subscription_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.user_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.websiteimport_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.xcrawler_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.appl.ui.xmlforms_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.rep.util.rfadapter_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.actioninbox_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.cachecontrol_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.checkout_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.collaboration_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.crawler_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.efp_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.expimp_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.ice_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.indexmanagement_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.propertyconfig_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.propertystructure_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.quickpoll_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.reporting_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.resourcefilter_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.resourcelistfilter_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.template_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.xcrawler_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.service.xmlforms_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.fields_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.collection_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.control_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.detailsoverview_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.detailsproperties_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.enum_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.layout_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.property_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.readymades_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.flex.resource_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.released_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.ui.search_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/com.sap.portal.usermanagementapi.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/com.sap.security.api.ep5.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/org.eclipse.tomcat_4.0.6.2/servlet.jar"></classpathentry>
<classpathentry kind="lib" path="dist/PORTAL-INF/lib/commons-lang-2.4.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/km.shared.ui.event_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.portal.runtime.config/lib/bc.cfg_api.jar"></classpathentry>
<classpathentry kind="var" path="KMC_LIBS/km.appl.ui.flex.control_api.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.km.cm.ui.flex/private/lib/km.appl.ui.flex.control_core.jar"></classpathentry>
<classpathentry kind="var" path="ECLIPSE_HOME/plugins/com.sap.ep.applicationDevelopment_7.00/libs/km.shared.repository.service.layout_api.jar"></classpathentry>
<classpathentry kind="output" path="classes.api"></classpathentry>
</classpath>
You probably don't need all of them.
Cheers,
Jürgen -
Solved - How to take ownership and change permissions for blocked files and folders in Powershell
Hello,
I was trying to take ownership & fix permissions on Home Folder/My Documents structures, I ran into the common problem in PowerShell where Set-Acl & Get-Acl return access denied errors. The error occurs because the Administrators have been removed from
file permissions and do not have ownership of the files,folders/directories. (Assuming all other permissions like SeTakeOwnershipPrivilege have been enabled.
I was not able to find any information about someone successfully using native PS to resolve the issue. As I was able to solve the issues surrounding Get-Acl & Set-Acl, I wanted to share the result for those still looking for an answer.
Question: How do you use only Powershell take ownership and reset permissions for files or folders you do not have permissions or ownership of?
Problem:
Using the default function calls to the object fail for a folder that the administrative account does not have permissions or file ownership. You get the following error for Get-Acl:
PS C:\> Get-Acl -path F:\testpath\locked
Get-Acl : Attempted to perform an unauthorized operation.
+ get-acl <<<< -path F:\testpath\locked
+ CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
If you create a new ACL and attempt to apply it using Set-Acl, you get:
PS C:\> Set-Acl -path F:\testpath\locked -AclObject $DirAcl
Set-Acl : Attempted to perform an unauthorized operation.
At line:1 char:8
+ Set-Acl <<<< -path "F:\testpath\locked" -AclObject $DirAcl
+ CategoryInfo : PermissionDenied: (F:\testpath\locked:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
Use of other functions like .GetAccessControl will result in a similar error: "Attempted to perform an unauthorized operation."
How do you replace owner on all subcontainers and objects in Powershell with resorting to external applications like takeown, icacls, Windows Explorer GUI, etc.?
TonyHello,
Last, here is the script I used to reset permissions on the "My Documents" tree structure that admins did not have access to:
Example: Powershell script to parse a directory of User-owned "My Document" redirection folders and reset permissions.
#Script to Reset MyDocuments Folder permissions
$domainName = ([ADSI]'').name
Import-Module "PSCX" -ErrorAction Stop
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
#Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeSecurityPrivilege", $true) #Optional if you want to manage auditing (SACL) on the objects
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
$Directorypath = "F:\Userpath" #locked user folders exist under here
$LockedDirs = Get-ChildItem $Directorypath -force #get all of the locked directories.
Foreach ($Locked in $LockedDirs) {
Write-Host "Resetting Permissions for "$Locked.Fullname
#######Take Ownership of the root directory
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
$Locked.SetAccessControl($blankdirAcl)
###################### Setup & apply correct folder permissions to the root user folder
#Using recommendation from Ned Pyle's Ask Directory Services blog:
#Automatic creation of user folders for home, roaming profile and redirected folders.
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$fullrights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$allowrights = [System.Security.AccessControl.AccessControlType]"Allow"
$DirACL = New-Object System.Security.AccessControl.DirectorySecurity
#Administrators: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",$fullrights, $inherit, $propagation, "Allow")))
#System: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",$fullrights, $inherit, $propagation, "Allow")))
#Creator Owner: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER",$fullrights, $inherit, $propagation, "Allow")))
#Useraccount: Full Control (ideally I would error check the existance of the user account in AD)
#$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked.name",$fullrights, $inherit, $propagation, "Allow")))
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked",$fullrights, $inherit, $propagation, "Allow")))
#Remove Inheritance from the root user folder
$DirACL.SetAccessRuleProtection($True, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#Set permissions on User Directory
Set-Acl -aclObject $DirACL -path $Locked.Fullname
Write-Host "commencer" -NoNewLine
##############Restore admin access & then restore file/folder inheritance on all subitems
#create a template ACL with inheritance re-enabled; this will be stamped on each subitem to re-establish the file structure with inherited ACLs only.
#$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked.name") #ideally I would error check this.
$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked") #ideally I would error check this.
$subFileACL = New-Object System.Security.AccessControl.FileSecurity
$subDirACL = New-Object System.Security.AccessControl.DirectorySecurity
$subFileACL.SetOwner($NewOwner)
$subDirACL.SetOwner($NewOwner)
######## Enable inheritance ($False) and not copy of parent ACLs ($False)
$subFileACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
$subDirACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#####loop through subitems
$subdirs = Get-ChildItem -path $Locked.Fullname -force -recurse #force is necessary to get hidden files/folders
foreach ($subitem in $subdirs) {
#take ownership to insure ability to change permissions
#Then set desired ACL
if ($subitem.Attributes -match "Directory") {
# New, blank Directory ACL with only Owner set
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankdirAcl)
#At this point, Administrators have the ability to change the directory permissions
Set-Acl -aclObject $subDirACL -path $subitem.Fullname -ErrorAction Stop
} Else {
# New, blank File ACL with only Owner set
$blankfileAcl = New-Object System.Security.AccessControl.FileSecurity
$blankfileAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankfileAcl)
#At this point, Administrators have the ability to change the file permissions
Set-Acl -aclObject $subFileACL -path $subitem.Fullname -ErrorAction Stop
Write-Host "." -NoNewline
Write-Host "fin."
Write-Host "Script Complete."
I hope you find this useful.
Thank you,
Tony
Final Thought: There are great non-PS tools like
Set-Acl and takeown which are external to PS & can also do the job wonderfully. It may be much simpler to call those tools than recreate the wheel in pure
code. Feel free to use whatever best suits your time, scope & cost. -
ACL and posix conflict? Can't get folder access to work properly
We have a folder on our website that all employees need to be able to write to, but they do not need to be able to create folders or delete anything. There is a second group with full permissions to the folder.
ACLs:
Upload Full Access - R&W
Company Access - Custom (full read, write does not include: create folder, delete, delete subfolders and files)
POSIX:
O: _www : R
G: Company Access : R
E: None
The full access group is easy and works perfectly.
The limited group is a pain and the permissions don't work 100% the way needed.
With that setup, they cannot create new files at all.
If I set G: R&W, then they have free reign as the ACL is being ignored.
If I set G: R, then they have no write abilities as the ACL is being ignored.
With either group setting if I grant "create folder" permission in the custom ACL, then users can create folders and they have full create/delete permissions within the new folders, but this is what I need to prevent not allow.
I've never had problem setting up a share with strange ACL access permissions before. Does this directory hate me? I'd like to do this without having to create another user group.
Suggestions?Hi,
Yes, the GUI of ServerAdmin won't add the <Directory> config sections to the apache config file. Read about that <Directory> config section, look at /etc/apache2/httpd.conf and /etc/apache2/sites/0000SOMETHING.
The good news is once you put the <Directory> config sections in there, it will stay there.
In someways the GUI of ServerAdmin is bad, in that it is just adding text lines to your apache config file, and it doesn't alway know what to add, whereas if one must do one's own typing in the config file, then one is aware of what is in there, what it is doing.
I ran into a similar issue. But do read the config files, and the apache.org documentation. It is good documentation, and the config files are pretty clear to follow. -
ACL Not Propagating Permissions to All Descendants
I am curious why new files and folders added by users do not retain the permissions allocated to the parent folder by an ACL.
The ACL description says that the permissions are propagated to the child files and folders as well as all descendants. But when a user logs in and creates a new item to share in a group folder, the ACL does not apply. Instead the new item takes on the individual user's permissions (Owner is the User, instead of the Group.)
Is the new folder too far down in the directory to be considered a descendant? (3 layers deep.) Is there a known issue with Leopard users logging into a Tiger server?
Any light shed on this issue is greatly appreciated. Thank you.I should add that I can remedy this problem by manually going in to Server Admin and propagating permissions on the troubled share-point, but I would rather not have to do this every time a user creates a new item.
-
I had the first two lines in the access list and all was well, I then added the 3rd. From what I need to put the 3rd entry (deny host 10.1.30.51) after the second entry and before the permit any. Even though I created sequence numbers in order of the 3 entries (10,20,30) the sequence numbers didnt put them in order and they dont even show up in the show run. What went wrong? How is it possible to edit an acl without sequence numbers also?
Cause if I had:
10 deny x.x.x.x
20 deny x.x.x.x
30 permit any
Then I could add say 15 deny x.x.x.x, but now I cant and I dont even know what happened to the sequence numbers when I created them.
Thanks.
Standard IP access list 1
deny host 10.1.30.50 (4 match(es))
permit any (8 match(es))
deny host 10.1.30.51
Router#Hi Milan,
Sequence numbers are indeed not supported if you define a numbered access list. With both standard and extended numbered ACLs, however, it is possible to do a trick: if you refer to them as named ACLs (use their number as their name), you actually are able to use the sequence numbers.
For example:
R1(config)# do show run | i access-listaccess-list 1 deny 192.0.2.1access-list 1 permit anyaccess-list 100 deny ip host 192.0.2.1 anyaccess-list 100 permit ip any anyR1(config)# do show ip access-lStandard IP access list 1 10 deny 192.0.2.1 20 permit anyExtended IP access list 100 10 deny ip host 192.0.2.1 any 20 permit ip any anyR1(config)# ip access-list standard 1R1(config-std-nacl)# 15 deny 192.0.2.15R1(config-std-nacl)# exitR1(config)# do show access-listStandard IP access list 1 10 deny 192.0.2.1 15 deny 192.0.2.15 20 permit anyExtended IP access list 100 10 deny ip host 192.0.2.1 any 20 permit ip any anyR1(config)# ip access-list extended 100R1(config-ext-nacl)# 15 deny ip host 192.0.2.15 anyR1(config-ext-nacl)# exitR1(config)# do show access-lStandard IP access list 1 10 deny 192.0.2.1 15 deny 192.0.2.15 20 permit anyExtended IP access list 100 10 deny ip host 192.0.2.1 any 15 deny ip host 192.0.2.15 any 20 permit ip any any
The router is even smart enough to disallow to refer to a named ACL whose name is a number of the opposite type than stated on the command line:
R1(config)# ip access-list standard 101% % Invalid access list name.R1(config)# ip access-list extended 2% % Invalid access list name.
What Collin may have in mind, though, is that host entries in standard ACLs are reorganized to a different order than entered:
R1(config)# ip access-list standard TestR1(config-std-nacl)# permit 10.0.0.1R1(config-std-nacl)# deny 10.0.0.2R1(config-std-nacl)# permit 10.0.0.3R1(config-std-nacl)# deny 10.0.0.4R1(config-std-nacl)# permit 10.0.0.5R1(config-std-nacl)# deny 10.0.0.6R1(config-std-nacl)# permit 10.0.0.7R1(config-std-nacl)# deny 10.0.0.8R1(config-std-nacl)# permit anyR1(config-std-nacl)#exitR1(config)# do show access-list TestStandard IP access list Test 80 deny 10.0.0.8 20 deny 10.0.0.2 30 permit 10.0.0.3 10 permit 10.0.0.1 60 deny 10.0.0.6 70 permit 10.0.0.7 40 deny 10.0.0.4 50 permit 10.0.0.5 90 permit anyR1(config)# do show run | section Testip access-list standard Test deny 10.0.0.8 deny 10.0.0.2 permit 10.0.0.3 permit 10.0.0.1 deny 10.0.0.6 permit 10.0.0.7 deny 10.0.0.4 permit 10.0.0.5 permit any
This reordering happens only with standard ACLs and is a result of indexing the host entries in the ACL into a hash table (the hash function being XOR of individual octets of the IP address in the host entry) for faster access. When printing out the ACL, first the host items are printed out in the order they are stored in the hashing table, and only then the remaining entries that use wildcards. Wildcard entries are not reordered.
The funny thing is that the ACL is actually even stored in the configuration in the reordered form, and thus evaluated in a reordered form, which can be confusing. However, you may have noticed that the router will prohibit you from entering a host ACL after entering a wildcard ACL that also matches the IP address in a wildcard entry:
R1(config)# ip access-list standard Test2R1(config-std-nacl)# permit 10.0.1.0 0.0.0.255R1(config-std-nacl)# deny 10.0.1.1% Access rule can't be configured at higher sequence num as it is part of the existing rule at sequence num 10R1(config-std-nacl)#
Why is this? Obviously, a host entry can either select the same action for a packet that would be taken by a more general wildcard entry (in which case it is not necessary for the host entry to be entered at all), or it can override the action that would be chosen by a more general wildcard entry. In this second case, it is necessary for this host entry to be placed in the ACL first, otherwise it would never be reached. Ordering of host entries themselves can be arbitrary, as they do not influence each other. This leads us to a general logic in standard ACLs - it is required to put all host entries first, and wildcard entries last. Now it is completely logical to visit all host entries first (indexed by a hash for rapid access), and then visit the wildcard entries.
Quite a long post... sorry for that. Hopefully, we've resolved some of the doubts.
Best regards,
Peter -
Set-Acl removing inherited permissions
Hi,
I am trying to set permissions on a remote share. However, using Set-Acl removes the inherited permissions from the share.
i.e. F:\SHARE inherits permissions from F:\
Using Set-Acl in any way, removes the permissions inherited from F:\.
i.e. (Get-Acl \\SERVER\SHARE) | Set-Acl \\SERVER\SHARE
After running that command, the inherited permissions from F:\ will no longer be applied to F:\SHARE
Ideas?
Another thread suggested this was a UAC issue. UAC is turned off on both the computer running Set-Acl, and the computer with the share. UAC was turned off by changing the value of EnableLUA from 1 to 0 in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system".This is because setting the ACL on the root of a share using the UNC path disables inheritance for that folder. It has nothing to do with UAC and is by design. Try doing it in explorer and you'll get a warning stating just that.
EDIT: To set the permissions remotely in this particular case, you'll need to be an administrator on the remote machine. This allows you to connect via \\SERVER\F$, where you are then free to set permissions on the \\SERVER\F$\SHARE folder without disabling
inheritance.
Best Regards,
Carl S
All code is provided as-is with no guarantees. Always try it out in a test environment before applying it in a production environment. -
We have adjusted our ACL and removed permitting tcp any any gt 1023 and replaced it with the any any established command but this broke ftp. The ACL is applied out on the ethernet interface into the local network. How do I securely add FTP?
permit tcp any any establishedMaybe this link should help.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
Also what we do is define a range of ports for passive ftp. For example 6000 to 6100.
So instead you use
access-list 100 permit tcp any host 192.168.1.100 gt 1023
You should use
access-list 100 permit tcp any host 192.168.1.100 range 6000 6100
But, in my opinion, from the server's view, active FTP is more secure than passive.
Hope this helps -
Hi,
I have CSS 11503 without SSL module (CSS11503-AC J0)
I have to know something:
Customer needs to prevent servers behind LB (means service). In able to do this they want to limit connection to VIP.
As summary they want that only some IP:Port pair can reach to VIP.
To do this I think I have to use ACL and 1 ACL has 20-25 clauses. And maybe I have to add some new ACL.
So the question is:
This ACL how affect the performance of CSS ?
How many degrees degrade performance percentage briefly?ACL with only permit|deny clauses are all performed in hardware and therefore the impact on the performance is null or almost null.
If you have ACL to allow some source nating or select of a prefered gateway or service, these are done in software and will have an impact that I can't unfortunately quantified since this is really dependent on the config and traffic.
Gilles.
Maybe you are looking for
-
ALV Top of Page Date format problem?
Dear All Abapper, I have placed date(12.12.2007) format in ALV Top of Page, but it displayed <u> <b> 20071212</b></u> in this format. Pls, give me the suggestion to reclaim my problem.
-
Verizon Edge???? What will be the stipulations. & Major issue w/ Razr Maxx HD
Let me explain why I am wondering about this at this point and the problems I am having. I am wondering and hoping to get some concrete info on the new edge plan. I am on my third refurb warranty replacement phone. I am sick and tired of it at thi
-
Dreamweaver CS6 won't open anymore due to Java SE 6 runtime???
I can't open my Dreamweaver anymore. I get this error message: To open Adobe CS6 "Dreamweaver" you need to install the legacy Java SE 6 runtime - What is this and where do I get it from?
-
Can't Set Time in "Reminders" App
This seems like a really basic question that should be a non-issue, but I can't figure out how to set a specific Time for the "Reminders" application on my Macbook Air 2012 (with Mountian Lion). I can creat New Reminders, name them, I can make a remi
-
Trying to get URL for my photos for Mac 10.9.3
Have never been able to get a URL for one of my photos. How do I do that? Do I need to download a program to do so? (I am a participant at FSM Film Score Monthly, and wanted to post some of my photos there.) Thanks.