Grant-CPermission clobbers ACL for same Identity with different ApplyTo

[pnstickne]

Expectation

Multiple ACL entries should be created / replaced based on the Identity & Apply-To scope.

Observation

The ACL for the Identity is replaced, even if the Apply-To scope is different. This prevents layering, such as allowing ListDirectory (directory/container) while preventing ReadData (ie. prevent reading files created by other people).

Reproduction:

Create C:\X and remove all inherited permissions. Authenticated Users here is just a stub ACL.

Grant permission for ReadAttributes (applies to files and folders):

PS> Grant-CPermission -Path C:\X -Identity 'SYSTEM' -Permission 'ReadAttributes' -PassThru

Rights                      Type  IdentityReference   IsInherited InheritanceFlags                PropagationFlags
------                      ----  -----------------   ----------- ----------------                ----------------
ReadAttributes, Synchronize Allow NT AUTHORITY\SYSTEM False       ContainerInherit, ObjectInherit None

Grant permission to ListDirectory (only on folders):

PS> Grant-CPermission -Path C:\X -Identity 'SYSTEM' -ApplyTo ContainerAndSubContainers -Permission 'ListDirectory' -PassThru

Rights                Type  IdentityReference   IsInherited InheritanceFlags PropagationFlags
------                ----  -----------------   ----------- ---------------- ----------------
ReadData, Synchronize Allow NT AUTHORITY\SYSTEM False       ContainerInherit None

The previous ReadAttributes have been replaced, even though they apply to a different scope.

I would expect that different scopes / 'Apply To' would represent different ACL entries.

[splatteredbits]

Use the Grant-CPermission function's -Append switch to not replace any of a user's existing ACLs.