Since I am well capable of forgetting how to add and remove access control entries (ACE) into and from access control lists (ACL) of files and directories, I decided to write a reminder blog entry series.

The first chapter will be about allowing an individual user access to an individual file.

The starting position is a file owned by me and accessible by me in a directory owned by me and accessible by me. Both are not accessible by the other user originally.

I will go through this exercise in three different shells:

cmd.exe and powershell.exe on Windows 10 and dcl.exe on OpenVMS 8.4.

1. Windows cmd.exe

The command to use is icacls.exe. It is fairly simple to use once you get used to it. The trick is to remember that the parameter following /grant or /remove is a string and must be quoted unless used with cmd.exe.

The file prepared is HubertWantsIt.txt. It looks quite peaceful now.


Hubert cannot access it.


Using icacls.exe the file's ACL can be modified to allow Hubert access. Hubert will also need access to traverse (execute) the directory and see the files.


This leads to Hubert's happiness.


To undo, do this.


2. Windows PowerShell

PowerShell is more powerful than cmd.exe but much more complicated. It's meant to be used as a scripting language rather than a shell and this becomes very obvious when trying to do simple things like setting immediate permissions.

Hubert is back in his original awkward position:


But this can be helped.


Let me explain...

PowerShell is not a command language but a scripting language. It's also object-oriented and works with variables a lot.

The first thing to know is that an item is, here, a file system item, like a file or directory. Get-Item . gets the current directory as an item. From the current directory item we get an ACL. Into the ACL we add a access rule (of type FileSystemAccessRule because this is a file system we are dealing with here). And the modified ACL must be written back into the item.

Here this leads to some happiness for Hubert again:


And to undo:


You can see how that sort of mechanism is more useful for automation than interaction.


OpenVMS Digital Command Language is a command language shell suitable both for interactive commands and basic scripting.

Hubert again finds himself in the unfortunate position of not being able to access the file.


The reason is easily seen from my own perspective on the system.


Hubert is neither me nor in my group and the file has an empty ACL.

But this can be changed.


Note that in VMS a directory is represented as a file with the .DIR extension. [-] refers to the parent directory, like .. in Windows and UNIX.

Hubert is ecstatic:


To undo, do this:


To be continued...

 © Andrew Brehm 2016