Question

Manage folder permissions using Laserfiche SDK

Laserfiche SDK Version 9 Version 10 Administration

Updated March 20, 2023

asked on June 17, 2021

Hi everyone,

Is there any .net script to use SDK DLLs in order to manage folder permissions? For example, retrieve folder security or folder access rights, and modify access rights on folders.

Any help, it would be appreciated.

Regards

0 0

Answer

SELECTED ANSWER

replied on June 18, 2021

Ah, that linked post is in the private Solution Providers group.

I've reproduced the relevant bits below.

The original poster asked:

>Can someone advise as how can I assign Laserfiche Groups to have access to a folder? All I can see under SDK Documenatition is about adding Windows Groups to have access to folders. e.g like the code below adds Windows groups to have access to top repository folder:

// Retrieve a Windows Group and grant its members
// the ability to log into the repository.
System.Security.Principal.NTAccount WinGroup = new System.Security.Principal.NTAccount("MyGroup");
Repository.GrantLogOnAccess(WinGroup, mySess);

// Set privileges, feature rights and tags.
TrusteeInfo ti = new TrusteeInfo();
ti.Privileges = Privileges.EntryAccess;
ti.FeatureRights = FeatureRights.Move | FeatureRights.Import;
ti.AssignTag(Tag.GetInfo("Secure Tag", mySess));
Trustee.SetInfo(WinGroup, ti, mySess);

// Retrieve the repository's root folder and set entry access
// rights for the Windows group.
EntryInfo ei = Entry.GetEntryInfo(1, mySess);
EntrySecurity es = ei.GetAccessControl();
EntryAccessRule EAR = new EntryAccessRule(WinGroup, EntryRights.Read | EntryRights.WriteContent | EntryRights.WriteMetadata, EntryAccessScope.DocumentsOnly, System.Security.AccessControl.AccessControlType.Allow);
es.AddAccessRule(EAR);
ei.SetAccessControl(es);

Robert replied:

>Create the EntryAccessRule with the SecurityIdentifier for the LF group:

TrusteeInfo groupInfo = Trustee.GetInfo("the group", session);

EntryInfo rootFolder = Entry.GetEntryInfo(1, session);

EntrySecurity entrySec = rootFolder.GetAccessControl();                     

EntryAccessRule ear = new EntryAccessRule(groupInfo.Sid, EntryRights.FullControl, System.Security.AccessControl.AccessControlType.Allow);

entrySec.AddAccessRule(ear);

rootFolder.SetAccessControl(entrySec);

rootFolder.Save();

1 0

Replies

replied on June 18, 2021

Use EntryInfo.GetAccessControl() to retrieve the EntrySecurity for a folder/document. You then modify the EntrySecurity to add/remove access rules, and assign it back to the entry. See the sample code here.

1 0

View 6 previous replies

replied on June 18, 2021

Hi Robert,
Thanks for your answer, I can not found the page, it tells me may be is a group membership issue because it belongs to a private group.

Regards

0 0

SELECTED ANSWER

replied on June 18, 2021

Ah, that linked post is in the private Solution Providers group.

I've reproduced the relevant bits below.

The original poster asked:

// Retrieve a Windows Group and grant its members
// the ability to log into the repository.
System.Security.Principal.NTAccount WinGroup = new System.Security.Principal.NTAccount("MyGroup");
Repository.GrantLogOnAccess(WinGroup, mySess);

// Set privileges, feature rights and tags.
TrusteeInfo ti = new TrusteeInfo();
ti.Privileges = Privileges.EntryAccess;
ti.FeatureRights = FeatureRights.Move | FeatureRights.Import;
ti.AssignTag(Tag.GetInfo("Secure Tag", mySess));
Trustee.SetInfo(WinGroup, ti, mySess);

// Retrieve the repository's root folder and set entry access
// rights for the Windows group.
EntryInfo ei = Entry.GetEntryInfo(1, mySess);
EntrySecurity es = ei.GetAccessControl();
EntryAccessRule EAR = new EntryAccessRule(WinGroup, EntryRights.Read | EntryRights.WriteContent | EntryRights.WriteMetadata, EntryAccessScope.DocumentsOnly, System.Security.AccessControl.AccessControlType.Allow);
es.AddAccessRule(EAR);
ei.SetAccessControl(es);

Robert replied:

>Create the EntryAccessRule with the SecurityIdentifier for the LF group:

TrusteeInfo groupInfo = Trustee.GetInfo("the group", session);

EntryInfo rootFolder = Entry.GetEntryInfo(1, session);

EntrySecurity entrySec = rootFolder.GetAccessControl();                     

EntryAccessRule ear = new EntryAccessRule(groupInfo.Sid, EntryRights.FullControl, System.Security.AccessControl.AccessControlType.Allow);

entrySec.AddAccessRule(ear);

rootFolder.SetAccessControl(entrySec);

rootFolder.Save();

1 0

replied on June 21, 2021

Hi Samuel, thank you very much.
Regards

0 0

replied on June 21, 2021

You're welcome!

0 0

replied on March 20, 2023

Hey Robert,

Your link to sample code is dead. Might you have an updated link?

Eric

0 0

replied on March 20, 2023

Hi Eric, the linked post is probably inaccessible because it is in the Solution Providers group. Samuel included the sample code in the reply above, it's these lines:

TrusteeInfo groupInfo = Trustee.GetInfo("the group", session);
EntryInfo rootFolder = Entry.GetEntryInfo(1, session);
EntrySecurity entrySec = rootFolder.GetAccessControl();
                    
EntryAccessRule ear = new EntryAccessRule(groupInfo.Sid, EntryRights.FullControl, System.Security.AccessControl.AccessControlType.Allow);
entrySec.AddAccessRule(ear);
rootFolder.SetAccessControl(entrySec);
rootFolder.Save();

0 0

replied on March 20, 2023

Thanks for your reply. Is there a way to get the rights back from a folder as a list of trustees/groups and loop through them?

0 0

replied on March 20, 2023

To get the access rights assigned directly on an entry (a folder or a document), call EntrySecurity.GetAccessRules(true, false):

public static void ReportEntryAccessRights(Session session, int entryId)
{
    EntryInfo entryInfo = Entry.GetEntryInfo(entryId, session);
    EntrySecurity entrySec = entryInfo.GetAccessControl();

    bool includeExplicit = true; // Include ACEs assigned directly on this entry
    bool includeInherited = false; // Include ACEs inherited from a parent folder

    Console.WriteLine($"Reading security for {entryInfo.Path}");

    foreach (EntryAccessRule rule in entrySec.GetAccessRules(includeExplicit, includeInherited))
    {
        try
        {
            Console.WriteLine($"Account: {rule.AccountReference.AccountName}");
            Console.WriteLine($"  Allow/Deny: {rule.AccessControlType}");
            Console.WriteLine($"  Scope: {rule.EntryAccessScope}");
            Console.WriteLine($"  Rights: {rule.EntryRights}");
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.ToString());
        }
    }
}

If you are looking to get the entries within the folder and find security on them, use FolderInfo.OpenFolderListing to get the child entries, then use that list of IDs to lookup the security on each entry:

public static List<int> GetChildEntries(Session session, int folderId)
{
    FolderInfo folder = Folder.GetFolderInfo(folderId, session);

    List<int> childEntryIds = new List<int>();

    EntryListingSettings settings = new EntryListingSettings();
    settings.AddColumn(SystemColumn.Id);
    using (FolderListing listing = folder.OpenFolderListing(settings))
    {
        foreach (var row in listing)
        {
            int entryId = (int)row[SystemColumn.Id];
            childEntryIds.Add(entryId);
        }
    }

    return childEntryIds;
}

1 0

replied on March 20, 2023

Many thanks! This is very helpful.

0 0

replied on June 18, 2021

Hi Cristian,

Looks like Robert got you the info on using the SDK for this task. I'm curious what your use case is through, if you're willing to share. Laserfiche Workflow has an Assign Rights activity we often use to manage folder permissions.

1 0

replied on June 18, 2021

Hi Samuel
We are using Laserfiche just as a repository, we don't have Laserfiche Workflow, but we use SDK a lot to communicate with our apps, and personally to facilitate admin operations a little bit.

Thanks for your curiosity about it.

Regards

0 0

You are not allowed to follow up in this post.

Question

Question

Manage folder permissions using Laserfiche SDK

Answer

Replies

Sign in to reply to this post.