Setting Folder-Level Permissions on Team Folders
Once a Team Folder is shared, all users with access to the share will see the folder in Team Folders in the navigation panel of the user portal and all FileCloud clients such as Sync, Drive, Outlook and the Office Add-In. A user's actions on a Team Folder are generally limited by the share permissions given to them on the Team Folder. However, additional limitations may be added to the share permissions for specific users and groups in the form of folder-level permissions.
For more information on folder share permissions, read about the Private Share Permissions for Folders.
Enable folder-level permissions
- Open a browser and log in to the admin portal.
- From the left navigation panel, click Settings.
- On the Settings screen, click the Misc tab.
- On the General sub-tab, select the checkbox Apply Folder Level Security.
Apply folder-level permissions to Team Folders:
You can apply folder-level permissions to the top-level Team Folder or to its subfolders.
Here, we will demonstrate how folder-level permissions can be used to enhance share permissions on Team Folders through an example.
This example uses a common scenario, in which a top-level Team Folder stores various subfolders for the team. The entire team is given access to some of the subfolders, for example, those that contain general information. But only team members whose jobs require more secure information, such as employee ID numbers, are given access to the subfolders that contain that information.
In this example, we will give the entire Human Resources team access to the HR Files subfolder, but we will only give the users HR Manager and Jessica access to the Employee Records and Forms subfolders.
Share the top-level Team Folder with the entire group with all permissions
- From the left navigation panel, click Team Folders.
- Hover over the Team Folder (in this case Human Resources), and click the share icon.
A Share link for folder dialog box opens.
First give the entire Human Resources Group access to the Human Resources folder. - Click Allow selected users or groups, and then click the Groups tab.
- Click Add Group.
An Add Group dialog box listing your FileCloud groups opens. - Select the group (Human Resources Group) that you want to give access to the Team Folder and click Add.
- Enable all permissions to the folder for the group except Manage permission, which is not allowed for a group.
- Click OK and close the dialog box.
Restrict permissions to specific users within the group
- Open the Human Resources folder to view its subfolders.
- We want to give the users HR Manager and Jessica full access to the Employee Records and Forms subfolders. We don't want to give the other members of the team any access to these subfolders, but they will still have access to the HR Files folder.
- Hover over the Employee Records folder and click the Permissions icon.
The Manage Folder Level Security dialog box opens for the Employee Records subfolder. - Uncheck Inherit Folder Level Security.
- Click the Groups tab, then click the Add Group button and add Human Resources Group.
By default, it grants all file operation permissions. - To disable the group's access to the Employee Records folder, uncheck the boxes under the operations.
- Then click the Users tab.
- Click Add User and add only the users who you want to give access to the Employee Records folder.
- Repeat steps 3 through 8 for the Forms folder.
Now, when either HR Manager or Jessica logs in to the user portal, they see the Human Resources Team Folder and all of its subfolders: Employee Records, HR Files, and Forms.
When another member of the Human Resources group logs in, they see the Human Resources Team Folder, but only the HR Files subfolder:
Note: Top-level Team Folder permissions cannot be inherited, and the Inherit Folder Level Security checkbox does not appear for top-level Team Folders on the Manage Folder Level Security dialog box. |
Checking Effective Permissions
A user may have been assigned multiple types of permissions for a Team Folder. For example, the Team Folder shared with the user gave the user certain permissions but you may also have applied different folder-level permissions to the folder. In addition, the user may have permissions through a group it belongs to.
You can check the Team Folder's effective permissions to see the actual permissions the user has to the folder when all of these permissions are combined.
Effective permissions take into account that:
- If a user has both share and folder-level permissions to a folder, the more restrictive of the two apply.
- If a user has folder-level permissions assigned to them individually, and folder-level permissions assigned through a group they belong to, the user assigned permissions take precedence.
To check effective Team Folder permissions:
In this example, we'll check the effective permissions for the example above.
- Navigate to the Human Resources/Employee Records Team Folder and click the permissions icon (the Key icon) in its row.
The Manage Folder Level Security dialog box opens with the Security tab selected. - Click the Check Access tab.
- Enter the email or username for Jessica, one of the users we gave folder-level permissions to this folder.
- Click Check user access.
The dialog box lists Jessica's permissions.- The Folder Permissions row shows that she has all folder-level permissions to the Employee Records folder.
- In the share of the folder, Jessica's group, Human Resources, was given all but Manage permissions for the folder, which is shown in the Share permissions row.
- The more restrictive of folder-level or share permissions apply, so the Effective permissions row shows that ultimately, Jessica does not have Manage permission because she does not have it in the share.
Now let's look at the effective permissions for Aliya, another user in the Human Resources group who has not been given any user folder-level permissions to the Employee Records folder. Her group has had all folder-level permissions for the Human Resources folder removed. - The Folder permissions row shows that she has no folder-level permissions for accessing the folder.
- On the share of the folder, her group is given read, write, share, and delete permissions, so the Share permissions row shows those permissions.
- The combined permissions, which appear in the Effective permissions row, show that Aliya has no access to the folder, because her group has both folder-level and share permissions assigned, and in this case the most restrictive apply.
More Information:
FileCloud Blogs |
---|