Access control is an essential element of data security that determines who has access to certain data, apps, and resources and in what situation. Controlling access keeps confidential information—such as customer data and intellectual property from being stolen by unauthorized users. Most organizations use identity and access management solutions to implement access control policies rather than manage permissions manually,
An ACL, or Access Control List, is a data structure that specifies the permissions and security settings associated with a particular object, such as a file, folder, or network resource. It specifies which users have access to folders and files on file servers and the actions that they can perform on those objects, i.e. read, write, execute, modify or full access.
Permissions should be assigned using the principle of least privilege whereby users are given the bare minimum access they require to do their job. Setting permissions in this way and monitoring them regularly is critical to data security in a Windows file system.
ACL share permissions can be listed using PowerShell, however, there is a more straightforward way to have visibility over your access control list configuration, with no PowerShell scripting and that is to use the Lepide Data Security Platform.
In this article we will look first at how to use the PowerShell Get-ACL cmdlet to list ACL share permissions and will then look at using the Lepide Data Security Platform. The Lepide Solution includes several pre-defined permissions reports which can be run without needing any expertise in PowerShell.
What is Get-ACL?
Get-ACL is the PowerShell cmdlet used to list ACL share permissions. It is an invaluable tool for viewing and managing permissions on files, folders, and registry keys. It retrieves the ACL information for a specified file or folder object and this object can be at a local or network location. The ACL contains a list of Access Control Entries (ACEs) that define the permissions associated with the object.
The syntax for Get-ACL is as follows
Get-ACL -Path C:\Path\To\FileOrFolderCopy
How to Use Get-ACL for folders and subfolders?
Please follow below given steps:
- Open the Powershell ISE and create a new script using the following code:
$path = "\\pdc\Shared\Finance" #define path to the shared folder
$reportpath ="C:\data\ACL.csv" #define path to export permissions report
#this script scans for folders under shared folder and gets acl(permissions) for all of them
dir -Recurse $path | where { $_.PsIsContainer } | % { $path1 = $_.fullname; Get-Acl $_.Fullname | % { $_.access | Add-Member -MemberType NoteProperty '.\Application Data' -Value $path1 -passthru }} | Export-Csv $reportpath
- Specify the path to the required folder and the path where the results should be saved
- Run the script
- Open the file created by the script in Microsoft Excel
How Lepide Data Security Platform Helps
The Lepide Solution provides a straightforward way to list all permissions for objects using the Permissions by Object Report. This report is one of hundreds of pre-defined reports included within the Lepide Data Security Platform and an example is given below:
To run this report:
- Select Lepide Trust, Reports
- From here, expand Current Permission Analysis
- Select the Permissions by Object Report
- Select Generate Report
- Expand the required folder to see related permissions
The report is generated and can be filtered, sorted and exported to CSV and PDF format.
