Export (0) Print
Expand All

RegistrySecurity.AddAccessRule Method

Searches for a matching access control with which the new rule can be merged. If none are found, adds the new rule.

Namespace: System.Security.AccessControl
Assembly: mscorlib (in mscorlib.dll)

public void AddAccessRule (
	RegistryAccessRule rule
)
public void AddAccessRule (
	RegistryAccessRule rule
)
public function AddAccessRule (
	rule : RegistryAccessRule
)
Not applicable.

Parameters

rule

The access control rule to add.

Exception typeCondition

ArgumentNullException

rule is a null reference (Nothing in Visual Basic).

The AddAccessRule method searches for rules with the same user or group and the same AccessControlType as rule. If none are found, rule is added. If a matching rule is found, the rights in rule are merged with the existing rule.

Rules cannot be merged if they have different inheritance flags. For example, if a user is allowed read access with no inheritance flags, and AddAccessRule is used to add a rule giving the user write access with inheritance for subkeys (InheritanceFlags.ContainerInherit), the two rules cannot be merged.

Rules with different AccessControlType values are never merged.

Rules express rights in the most economical way. For example, if a user has QueryValues, Notify and ReadPermissions rights, and you add a rule allowing EnumerateSubKeys rights, the user has all the constituent parts of ReadKey rights. If you query the user's rights, you will see a rule containing ReadKey rights. Similarly, if you remove EnumerateSubKeys rights, the other constituents of ReadKey rights will reappear.

The following code example creates registry access rules and adds them to a RegistrySecurity object, showing how rules that allow and deny rights remain separate, while compatible rules of the same kind are merged.

NoteNote:

This example does not attach the security object to a RegistryKey object. Examples that attach security objects can be found in Microsoft.Win32.RegistryKey.GetAccessControl and Microsoft.Win32.RegistryKey.SetAccessControl(System.Security.AccessControl.RegistrySecurity).

A code example that demonstrates inheritance and propagation flags can be found in the RegistryAccessRule class.

using System;
using Microsoft.Win32;
using System.Security.AccessControl;
using System.Security.Principal;

public class Example
{
    public static void Main()
    {
        // Create a string representing the current user.
        string user = Environment.UserDomainName + "\\"
            + Environment.UserName;

        // Create a security object that grants no access.
        RegistrySecurity mSec = new RegistrySecurity();

        // Add a rule that grants the current user the 
        // right to read the key.
        RegistryAccessRule rule = new RegistryAccessRule(user, 
            RegistryRights.ReadKey, 
            AccessControlType.Allow);
        mSec.AddAccessRule(rule);

        // Add a rule that denies the current user the 
        // right to change permissions on the Registry.
        rule = new RegistryAccessRule(user, 
            RegistryRights.ChangePermissions, 
            AccessControlType.Deny);
        mSec.AddAccessRule(rule);

        // Display the rules in the security object.
        ShowSecurity(mSec);

        // Add a rule that allows the current user the 
        // right to read permissions on the Registry. This 
        // rule is merged with the existing Allow rule.
        rule = new RegistryAccessRule(user, 
            RegistryRights.WriteKey, 
            AccessControlType.Allow);
        mSec.AddAccessRule(rule);

        ShowSecurity(mSec);
    }

    private static void ShowSecurity(RegistrySecurity security)
    {
        Console.WriteLine("\r\nCurrent access rules:\r\n");

        foreach( RegistryAccessRule ar in 
            security.GetAccessRules(true, true, typeof(NTAccount)) )
        {
            Console.WriteLine("        User: {0}", ar.IdentityReference);
            Console.WriteLine("        Type: {0}", ar.AccessControlType);
            Console.WriteLine("      Rights: {0}", ar.RegistryRights);
            Console.WriteLine();
        }
    }
}

/* This code example produces output similar to following:

Current access rules:

        User: TestDomain\TestUser
        Type: Deny
      Rights: ChangePermissions

        User: TestDomain\TestUser
        Type: Allow
      Rights: ReadKey


Current access rules:

        User: TestDomain\TestUser
        Type: Deny
      Rights: ChangePermissions

        User: TestDomain\TestUser
        Type: Allow
      Rights: SetValue, CreateSubKey, ReadKey
 */

Windows 98, Windows Server 2000 SP4, Windows Millennium Edition, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The Microsoft .NET Framework 3.0 is supported on Windows Vista, Microsoft Windows XP SP2, and Windows Server 2003 SP1.

.NET Framework

Supported in: 3.0, 2.0

Community Additions

ADD
Show:
© 2014 Microsoft