ACL Propagation Rules

When you create or modify access control entries (ACEs) for container objects such as folders, you can specify how to propagate the ACEs to objects within the container. For example, you might apply ACEs to all subfolders but not the files within those folders.

The rules of ACE propagation are controlled by different combinations of the InheritanceFlags enumeration and the PropagationFlags enumeration. You can pass both enumerations to constructors of the FileSystemAuditRule class or the FileSystemAccessRule class.

The following table shows all combinations of the two enumerations and describes how each combination affects the rules of propagation.

Flag combinations	Propagation results
No Flags	Target folder.
ObjectInherit	Target folder, child object (file), grandchild object (file).
ObjectInherit and NoPropagateInherit	Target folder, child object (file).
ObjectInherit and InheritOnly	Child object (file), grandchild object (file).
ObjectInherit, InheritOnly, and NoPropagateInherit	Child object (file).
ContainerInherit	Target folder, child folder, grandchild folder.
ContainerInherit, and NoPropagateInherit	Target folder, child folder.
ContainerInherit, and InheritOnly	Child folder, grandchild folder.
ContainerInherit, InheritOnly, and NoPropagateInherit	Child folder.
ContainerInherit, and ObjectInherit	Target folder, child folder, child object (file), grandchild folder, grandchild object (file).
ContainerInherit, ObjectInherit, and NoPropagateInherit	Target folder, child folder, child object (file).
ContainerInherit, ObjectInherit, and InheritOnly	Child folder, child object (file), grandchild folder, grandchild object (file).
ContainerInherit, ObjectInherit, NoPropagateInherit, InheritOnly	Child folder, child object (file).

Note   To change the access rules of only certain child files or folders, you must break your operation into several different calls.

See Also

Other Resources

ACL Technology Overview

Security in the .NET Framework