Browse Source

added primer on permissions

pull/62/head
sup3rlativ3 5 years ago
parent
commit
af6c57a056
3 changed files with 124 additions and 29 deletions
  1. +22
    -27
      Docs/Cmdlets/Add-NTFSAccess.md
  2. +98
    -0
      Docs/Permissions.md
  3. +4
    -2
      Docs/index.md

+ 22
- 27
Docs/Cmdlets/Add-NTFSAccess.md View File

@@ -14,31 +14,27 @@ Adds an access control entry (ACE) to an object.
## SYNTAX

### PathComplex (Default)

```PowerShell
```
Add-NTFSAccess [-Path] <String[]> [-Account] <IdentityReference2[]> [-AccessRights] <FileSystemRights2>
[-AccessType <AccessControlType>] [-InheritanceFlags <InheritanceFlags>]
[-PropagationFlags <PropagationFlags>] [-PassThru] [<CommonParameters>]
```

### PathSimple

```PowerShell
```
Add-NTFSAccess [-Path] <String[]> [-Account] <IdentityReference2[]> [-AccessRights] <FileSystemRights2>
[-AccessType <AccessControlType>] [-AppliesTo <ApplyTo>] [-PassThru] [<CommonParameters>]
```

### SDSimple

```PowerShell
```
Add-NTFSAccess [-SecurityDescriptor] <FileSystemSecurity2[]> [-Account] <IdentityReference2[]>
[-AccessRights] <FileSystemRights2> [-AccessType <AccessControlType>] [-AppliesTo <ApplyTo>] [-PassThru]
[<CommonParameters>]
```

### SDComplex

```PowerShell
```
Add-NTFSAccess [-SecurityDescriptor] <FileSystemSecurity2[]> [-Account] <IdentityReference2[]>
[-AccessRights] <FileSystemRights2> [-AccessType <AccessControlType>] [-InheritanceFlags <InheritanceFlags>]
[-PropagationFlags <PropagationFlags>] [-PassThru] [<CommonParameters>]
@@ -46,25 +42,9 @@ Add-NTFSAccess [-SecurityDescriptor] <FileSystemSecurity2[]> [-Account] <Identit

## DESCRIPTION

Adds an access control entry (ACE) to an object such as a file or folder. Other examples would be an object inside of Active Directory.
Adds an access control entry (ACE) to an object such as a file or folder. NTFSSecurity allows you to apply basic permission groups (read, read/write, full) or advanced permissions that allow you to get granular with the permissions. See the below table for how the basic permissions map to the advanced permissions, and how NTFSSecurity handles them.

## EXAMPLES

### Example 1

```PowerShell
PS C:\> Add-NTFSAccess -Path C:\Data -Account 'NT AUTHORITY\Authenticated Users' -AccessRights Read
```

The above command gives the read permissions to the built-in group of 'Authenticated users'

## PARAMETERS

### -AccessRights

The AccessRights parameter designates the permissions to assign. There are individual permissions as well as 'basic' permissions. See the below table for how the basic permissions permissions map the the advanced permissions in the advanced security window.

| AccessRights Applied | AccessRight displayed | Advanced Security Window |
| NTFSSecurity | AccessRight displayed | Advanced Security Window |
|------------------------------|------------------------------|---------------------------------------------------------------------------------------------------------------------------|
| ReadData | ListDirectory | List Folder / Read Data |
| ListDirectory | ListDirectory | List Folder / Read Data |
@@ -87,6 +67,22 @@ The AccessRights parameter designates the permissions to assign. There are indiv
| Modify | Modify | Everything except Full Control, Delete SubFolders and Files, Change Permissions, Take Ownership |
| ChangePermissions | ChangePermissions | Change Permissions |

## EXAMPLES

### Example 1

```PowerShell
PS C:\> Add-NTFSAccess -Path C:\Data -Account 'NT AUTHORITY\Authenticated Users' -AccessRights Read
```

The above command gives the read permissions to the built-in group of 'Authenticated users'

## PARAMETERS

### -AccessRights

The AccessRights parameter designates the permissions to assign. There are individual permissions as well as 'basic' permissions. See the below table for how the basic permissions permissions map the the advanced permissions in the advanced security window.

```yaml
Type: FileSystemRights2
Parameter Sets: (All)
@@ -233,7 +229,6 @@ Accept wildcard characters: False
```

### CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).

## INPUTS


+ 98
- 0
Docs/Permissions.md View File

@@ -0,0 +1,98 @@
# Permissions

## Overview

Before starting with the NTFSSecurity module there are some core concepts that you will need to understand.

There are two ways you can handle permissions, basic and advanced. The basic set of permissions are goups of advanced permissions that allow you to assign common role such as 'Read', 'Read/Write', or 'Full'. Advanced permissions allow you granular control of what can and can't be access or used. The advanced permissions are commonly used to build custom Role-Based Access Control tooling.

Below is an explaination taken from the fantastic site NTFS.com for each of the advanced file permissions.

### Traverse Folder/Execute File

* **Traverse Folder**: Allows or denies moving through a restricted folder to reach files and folders beneath the restricted folder in the folder hierarchy. Traverse folder takes effect only when the group or user is not granted the "Bypass traverse checking user" right in the Group Policy snap-in. This permission does not automatically allow running program files.

* **Execute File**: Allows or denies running program (executable) files.

### List Folder/Read Data

* **List Folder**: Allows or denies viewing file names and subfolder names within the folder. List Folder only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed.

* **Read Data**: Allows or denies viewing data in files.

### Read Attributes

* Allows or denies viewing the attributes of a file or folder, for example, "read-only" and "hidden".

### Read Extended Attributes

* Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.

### Create Files/Write Data

* **Create Files**: Allows or denies creating files within the folder.

* **Write Data**: Allows or denies making changes to a file and overwriting existing content.

### Create Folders/Append Data

* **Create Folders**: Allows or denies creating subfolders within the folder.

* **Append Data**: Allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data.

### Write Attributes

* Allows or denies changing the attributes of a file or folder, for example, "read-only" or "hidden".

* The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of an existing file or folder.

### Write Extended Attributes

* Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.

* The Write Extended Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the extended attributes of an existing file or folder.

### Delete Subfolders and Files

* Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file.

### Delete

* Allows or denies deleting the file or folder. If you don't have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.

### Read Permissions

* Allows or denies reading permissions of a file or folder.

### Change Permissions

* Allows or denies changing permissions of the file or folder.

### Take Ownership

* Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.

You can see how the basic permissions, advanced permissions, and the NTFSSecurity module relate to one another in the below table.

| NTFSSecurity | AccessRight displayed | Advanced Security Window |
|------------------------------|------------------------------|---------------------------------------------------------------------------------------------------------------------------|
| ReadData | ListDirectory | List Folder / Read Data |
| ListDirectory | ListDirectory | List Folder / Read Data |
| WriteData | CreateFile | Create Files / Write Data |
| CreateFiles | CreateFile | Create Files / Write Data |
| AppendData | CreateDirectories | Create Folders / Append Data |
| CreateDirectories | CreateDirectories | Create Folders / Append Data |
| ReadExtendedAttributes | ReadExtendedAttributes | Read Extended Attributes |
| WriteExtendedAttributes | WriteExtendedAttributes | WriteExtendedAttributes |
| ExecuteFile | Traverse | Traverse Folder / Execute File |
| Traverse | Traverse | Traverse Folder / Execute File |
| DeleteSubdirectoriesAndFiles | DeleteSubdirectoriesAndFiles | Delete Sub-folders and Files |
| ReadAttributes | ReadAttributes | Read Attributes |
| WriteAttributes | WriteAttributes | Write Attributes |
| Write | Write | Create Files / Write Data, Create Folders / Append Data, Write-Attributes, Write Extended Attributes |
| Delete | Delete | Delete |
| ReadPermissions | ReadPermissions | Read Permissions |
| Read | Read | List Folder / Read Data, Read Attributes, Read Extended Attributes, Read Permissions |
| ReadAndExecute | ReadAndExecute | Traverse Folder / Execute File, List Folder / Read Data, Read Attributes, Read Extended Attributes, Read Permissions |
| Modify | Modify | Everything except Full Control, Delete SubFolders and Files, Change Permissions, Take Ownership |
| ChangePermissions | ChangePermissions | Change Permissions |

+ 4
- 2
Docs/index.md View File

@@ -21,9 +21,11 @@ Further help can be found in How to install if you face difficulties getting thi

## Documentation

The cmdlets are yet not documented completely so Get-Help will not show help for all the cmdlets. Providing documentation is planned though.
The cmdlets are yet not documented completely so Get-Help will not show help for all the cmdlets. This ReadTheDocs site is the first step to documenting the module.

## Additional documentation is available
## Tutorials

There are a number of tutorials available on the web. The below two were written by the author of the NTFSSecurity module.

[NTFSSecurity Tutorial 1 - Getting, adding and removing permissions](http://blogs.technet.com/b/fieldcoding/archive/2014/12/05/ntfssecurity-tutorial-1-getting-adding-and-removing-permissions.aspx)
[NTFSSecurity Tutorial 2 - Managing NTFS Inheritance and Using Privileges](http://blogs.technet.com/b/fieldcoding/archive/2014/12/05/ntfssecurity-tutorial-2-managing-ntfs-inheritance-and-using-privileges.aspx)

Loading…
Cancel
Save