Enable Folder-Level Permissions
In many sharing scenarios, administrators are required to configure granular folder permissions. This feature provides a way to allow some actions on a parent, or top-level folder, while restricting those actions on a specific sub-folder.
Folder-Level Permissions Support | Folder-Level Permissions Do Not Support |
---|---|
Interaction with share permissions to apply the most restrictive permissions Allow or restrict access by specifying a user's email account Folders in Managed Storage Permissions can be set by the owner of the folder | Folders in Network Storage Permissions set by a user other than the owner |
To enable users to set folder-level permissions:
To enable users to set folder-level permissions:
- In the admin portal go to Settings > Misc > General.
- Check the Apply Folder Level Security checkbox.
- Click Save.
By default, users are not allowed to set folder-level permissions, as it can increase complexity of sharing and access rights.
However, administrators can allow this behavior by:
- Customizing the default global policy - which allows all users to set folder level permissions
- Creating a user-specific policy - which allows a specific user(s) to set folder level permissions (this can also be used for groups)
Customize the Default Global Policy
You do not have to create a new policy to allow all users to set folder-level permissions.
You can just edit the Global Default policy.
To grant all users the ability to set folder-level permissions:
- Log into the admin portal.
- In the left navigation pane, under SETTINGS, click Settings.
- On the Manage Settings screen, select the Policies tab.
- On the Manage Policy tab, click the Global Default Policy row, and then click the edit button ().
- On the Policy Settings- Global Default Policy dialog, select the User Policy tab.
- In Allow Folder Level Security, select YES.
- Click Save.
Create a User-Specific PolicyYou can either:
To create a policy granting rights to set folder-level permissions:
To add one or more users to the policy:
These same steps can be used to add Groups to the policy by clicking on the manage groups icon (). |
Administrators can check to see which permissions are actually granted for access to a folder.
- This is very useful when a user belongs to multiple groups or policies
- This check can also help you troubleshoot access issues
- This permissions check does not take into consideration any folder or file sharing permissions
When you check for effective permissions on a folder, you will be able to see if a user has one or more of the following Folder-Level Permissions:
Permission | Description |
---|---|
Read |
|
Write |
|
Delete |
|
Share |
|
Manage |
|
To check a user's effective permissions:
- Log into the admin portal.
- In the left navigation pane, under MANAGE, click Folder Permissions.
- On the Manage Folder Permissions screen, click the row that contains the policy which allows folder-level permission.
- Click the edit button ().
- On the Manage Folder Level Security dialog, select the Check Access tab.
- In the box next to the user icon (), type in the user's email id for their FileCloud Server account.
- Click Check.
Once a user has the ability to set folder level permissions, after logging in to the User Portal, a security tab will be available for their folders.
To test setting folder-level permissions, follow the steps in the User Guide for Setting Permissions on a Folder.
Example scenarios
In this scenario, an administrator gives two groups access to a folder, but only gives one group access to one of its sub-folders.
Example of giving permissions to only specific users or groups |
---|
In this example, the folder Projects in the path TeamFolder_01/TESTFILES is only shared with the groups:
Only the group ProjectManagers is given access to the subfolder Project_0001/finance. |
|
In this scenario, an administrator sets different permissions on parent and child folders.
Example of a Sharing Scenario | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
In this example, Folder1 is shared with Read and Write permissions to the following users:
This means all three users can:
In this example, the administrator wants allow only John access to the subfolder, Folder2, but wants to give all three users access to the subfolder, Folder3. The administrator therefore wants the folder access to be the following:
| ||||||||||||||||
To accomplish this, the administrator:
When John, Joe, and Jane access the parent Folder1:
|
How a user sets folder permissions
Once a user is permitted to set folder-level permissions, they can select a folder's checkbox and click the Security tab in the right panel and click Manage Security to open the Manage Folder Level Security checkbox.
They can then add users and select one or more of the following folder-level permissions:
Permission | Description |
---|---|
Read |
|
Write |
|
Delete |
|
Share |
|
Manage |
|
See Set Permissions on Folders in the User Dashboard for more information.
Permission inheritance
In general, a folder can be in one of the following states:
- The child, or sub-folder has all of the same permissions as its parent folder
- The child, or sub-folder has all of the same permissions as its parent folder, plus additional permissions
- The child, or sub-folder has all of the same permissions as its parent, minus additional permissions
- The child, or sub-folder's permissions are not connected in any way to the parent folder and the sub-folder retains a seperate set of permissions
When setting folder-level permissions in FileCloud, you have the following options:
Option | Description |
---|---|
Inherit Permissions | Permissions set in this folder are exactly the same as the top level folder's permissions |
Don't Inherit Permissions | Permissions set in this folder don't inherit from any top level folder's permissions and are specific to only this folder |
Permission hierarchy
Folder-level permissions are evaluated in the following order:
- User's folder-level permissions for current folder (if it exists)
- Group's folder-level permissions for current folder (if it exists)
Inherit permissions
If enabled, a search is continued along all parent paths until either:
- user's folder level permission is set for any parent folder
- group's folder level permission is set for any parent folder
When a user belongs to multiple groups and each group has conflicting permissions, the effective permissions will be a composite of the permissions provided to each group.
For example: Jane belongs to Group1 and Group2.
- Group1 has Read permission on FolderA
- Group2 has Read and Write permissions on FolderA
Jane's effective permissions for FolderA are Read and Write.