4

The situation I'm trying to address is this: I'm writing an application which multiple users will have access to. Access is restricted based on Windows permissions for folders - users will be granted access to the folder containing the application if needed.

For better or worse, the application stores its data in files on the same network as the application. I don't want users to be able to edit the data directly, so I plan to restrict access to the data files.

The approach I've been trying to use is then to have a 'service user' which does have read/write access to the data, and to use impersonation within the application to 'login' as the service user, perform required read/write, and return to the original user.

I've had a few different attempts at this without luck. Perhaps the simplest/most promising is based on Mark Johnson's answer here:

How do you do Impersonation in .NET?

I use it as follows:

            using (new Impersonation(serviceAccount.Domain, serviceAccount.UserName, serviceAccount.Password))
            {
                DoImport(app);
            }

where 'DoImport(app)' performs the reading of the data.

However, this gives an error 'Access to the path '...' is denied'. I'm trying to run this locally (the path is C:...) where I've restricted access to the path for the user I'm logged into but the user I'm trying to impersonate with has access.

Is there something I'm doing wrong here? Is there a better way to achieve what I'm after?

Thanks,

Andrew

Community
  • 1
  • 1
andrewnd
  • 101
  • 1
  • 1
  • 7

3 Answers3

3

The code at the below link seems to do what I'm after:

http://www.codeproject.com/Articles/10090/A-small-C-Class-for-impersonating-a-User

I think the token duplication is the important part, but I'm not exactly sure why.

I did have a further issue doing this - any assemblies that needed to be loaded for the 'DoImport(...)' function couldn't be loaded after the impersonation, access was denied for some reason (sorry for the vagueness, I didn't have time to look into this). Ensuring they're loaded before doing the impersonation, either through some dummy function calls or code to force load (see e.g. Is there a way to force all referenced assemblies to be loaded into the app domain?) did the trick.

Community
  • 1
  • 1
andrewnd
  • 101
  • 1
  • 1
  • 7
1

The fact the user, which is logged on (or which you try to impersonate) has access rights to the files, does NOT imply, that the application, that you are running, has the rights.

Have you considered running the application under administrator rights? (You got to grant the access to the files to the application!) Or, if you use debugging and are running it from VisualStuido (or other IDE), try running the IDE under administrator rights first.

This can do the trick in most cases, however, storing the data on a drive, where the users have physical access to it is by no means something I would recommend, have you thought about different ways of storing and accessing your data? Or what are the reasons for having it this way?

jmodrak
  • 229
  • 4
  • 17
  • I don't want to grant every user of the application administrator rights (what I've outlined above is how I'm testing the impersonation, in a 'live' situation there will be other users running it), so unfortunately I can't really use that approach. The idea is that the users don't have physical access to the data, that's why I'm trying to do it by impersonation - I deny them regular access, but when they use the application it loads the data for them via the impersonation. – andrewnd Nov 20 '13 at 04:44
1

You can't gain acces to other useraccounts without Administrator rights, but have you considered to put the files in a shared folder? If you want to identify the creater/owner of the file you could use getowner. Or you could use subfolders in the shared folder. I hope this will help.

online Thomas
  • 8,864
  • 6
  • 44
  • 85
  • So it sounds like your answer is that I can't do what I'm triyng to... which is helpful, thanks. My goal is to restrict the users from accessing the files independently (say via windows explorer), so I was trying to use impersonation to access a restricted folder. – andrewnd Nov 20 '13 at 09:51