From 17bcf9d4fb83c9d8e04b22faaa4be9ec3cdd2cb9 Mon Sep 17 00:00:00 2001
From: Meik <meik.drechsler@consulting4it.de>
Date: Sun, 29 Mar 2026 23:16:56 +0200
Subject: [PATCH] Gate NTFS share ensure behind config

---
 LiamNtfs/C4IT.LIAM.Ntfs.cs                    | 12 ++++++++++--
 LiamWorkflowActivities/LiamWorkflowRuntime.cs |  6 +++++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/LiamNtfs/C4IT.LIAM.Ntfs.cs b/LiamNtfs/C4IT.LIAM.Ntfs.cs
index ea8d3d1..1a6139f 100644
--- a/LiamNtfs/C4IT.LIAM.Ntfs.cs
+++ b/LiamNtfs/C4IT.LIAM.Ntfs.cs
@@ -893,16 +893,24 @@ namespace C4IT.LIAM
             IEnumerable<string> ownerSids,
             IEnumerable<string> readerSids,
             IEnumerable<string> writerSids,
+            bool allowSharePathEnsure = false,
             bool ensureTraverseGroups = false,
             bool whatIf = false)
         {
             var classification = ClassifyPath(folderPath);
-            if (!IsSupportedPermissionManagedPathKind(classification, eNtfsPathKind.Folder, eNtfsPathKind.ClassicShare, eNtfsPathKind.DfsLink))
+            var allowShareKinds = allowSharePathEnsure;
+            if (!IsSupportedPermissionManagedPathKind(
+                classification,
+                allowShareKinds
+                    ? new[] { eNtfsPathKind.Folder, eNtfsPathKind.ClassicShare, eNtfsPathKind.DfsLink }
+                    : new[] { eNtfsPathKind.Folder }))
             {
                 return Task.FromResult(new ResultToken(System.Reflection.MethodBase.GetCurrentMethod().ToString())
                 {
                     resultErrorId = 30008,
-                    resultMessage = $"NTFS permission ensure is only supported for folder and share paths. DFS namespaces and server roots are skipped: {folderPath}"
+                    resultMessage = allowShareKinds
+                        ? $"NTFS permission ensure is only supported for folder and share paths. DFS namespaces and server roots are skipped: {folderPath}"
+                        : $"NTFS permission ensure is only supported for folder paths unless share support is explicitly enabled. Shares, DFS namespaces and server roots are skipped: {folderPath}"
                 });
             }
 
diff --git a/LiamWorkflowActivities/LiamWorkflowRuntime.cs b/LiamWorkflowActivities/LiamWorkflowRuntime.cs
index 0af5c1e..a30b553 100644
--- a/LiamWorkflowActivities/LiamWorkflowRuntime.cs
+++ b/LiamWorkflowActivities/LiamWorkflowRuntime.cs
@@ -198,12 +198,14 @@ namespace LiamWorkflowActivities
                 return result;
             }
 
+            var allowSharePathEnsure = IsAdditionalConfigurationEnabled(provider, "EnsureNtfsPermissionGroupsForShares");
             var token = await ntfsProvider.EnsureMissingPermissionGroupsAsync(
                 folderPath,
                 customTags,
                 NormalizeIdentifierList(ownerSids),
                 NormalizeIdentifierList(readerSids),
                 NormalizeIdentifierList(writerSids),
+                allowSharePathEnsure,
                 ensureTraverseGroups,
                 IsWorkflowWhatIfEnabled(provider));
             if (token == null)
@@ -420,8 +422,9 @@ namespace LiamWorkflowActivities
             if (!IsAdditionalConfigurationEnabled(provider, "EnsureNtfsPermissionGroups"))
                 return true;
 
+            var allowSharePathEnsure = IsAdditionalConfigurationEnabled(provider, "EnsureNtfsPermissionGroupsForShares");
             foreach (var ntfsArea in dataAreas
-                .Where(dataArea => dataArea is cLiamNtfsFolder || dataArea is cLiamNtfsShare)
+                .Where(dataArea => dataArea is cLiamNtfsFolder || allowSharePathEnsure && dataArea is cLiamNtfsShare)
                 .Cast<cLiamNtfsPermissionDataAreaBase>())
             {
                 var folderPath = ntfsArea.TechnicalName;
@@ -440,6 +443,7 @@ namespace LiamWorkflowActivities
                     null,
                     null,
                     null,
+                    allowSharePathEnsure,
                     false,
                     simulateOnly);
                 if (ensureResult == null)