How Folder-Level Permissions and Share Permissions Work Together

Permission rules: How permissions interact

  • Whichever is more restrictive, share permissions or folder-level permissions, apply.
  • Inheritance of folder-level permissions is turned on by default for all folders and sub-folders.
    • Subfolders inherit the folder-level permissions of their immediate parent folders. 
    • If you manually turn off inheritance for a folder, its subfolders still have inheritance turned on.
  • In a share, greatest share permissions given to a user or the user's group apply.
  • In folder-level permissions, user permissions override permissions of a group the user is in.
  • When a user belongs to multiple groups with conflicting permissions, the effective permissions are the enabled permissions from all their groups combined.
The following examples illustrate the above permission rules using these components:

Group:
Sales Group 
         Members:
         SalesUser1
         SalesUser2

Folder:
Accounts
     Subfolder:
     MillerAcct


Example 1: 
The more restrictive of folder-level and share permissions apply.

  • The Sales Group is given the folder-level permissions read, write, share, delete, and manage to the Team Folder Accounts.
  • The Sales Group has share permissions read, write, and share to the Team Folder Accounts.
  • SalesUser1's effective (actual) permissions to the Team Folder Accounts are read, write, and share.



Example 2:

The more restrictive of folder-level and share permissions apply. 
User folder-level permissions supersede group folder-level permissions.

  • The Sales Group is given the folder-level permissions read, write, share, delete, and manage to the Team Folder Accounts.
  • The Sales Group has share permissions read, write, and share to the Team Folder Accounts.
  • SalesUser1 is given read folder-level permission to the Team Folder Accounts.
  • SalesUser1's effective (actual) permission to the Team Folder Accounts is read.
  • SalesUser2's effective (actual) permissions to the Team Folder Accounts are read, write, and share.






Example 3:

The more restrictive of folder-level and share permissions apply. 
In a share, greatest share permissions given to a user or the user's group apply.

  • The Sales Group is given the folder-level permissions read, write, share, delete, and manage to the Team Folder Accounts.
  • The Sales Group has the share permissions read, write, and share to the Team Folder Accounts.
  • SalesUser1 has all share permissions to the Team Folder Accounts.
  • SalesUser1's effective (actual) permissions to the Team Folder Accounts are all permissions.
  • SalesUser2's effective (actual) permissions to the Team Folder Accounts are read, write, and share.






Example 4:

By default, subfolders inherit the permissions of their parent folders.
User folder-level permissions supersede group folder-level permissions.

  • The Sales Group is given the folder-level permissions read, write, and share to the Team Folder Accounts.
  • The Sales Group has the share permissions read, write, and share to the Team Folder Accounts.

  • The Team Folder MillerAcct inherits the permissions from the Team Folder Accounts.
  • SalesUser1 is given the folder-permission read to the Team Folder MillerAcct.
  • SalesUser1's effective (actual) permission to the Team Folder MillerAcct is read permission.
  • SalesUser2's effective (actual) permissions to the Team Folder MillerAcct are read, write, and share.





Example 5:
By default, subfolders inherit the permissions of their parent folders.
In a share, greatest share permissions given to a user or the user's group apply.

  • The Sales Group is given the folder-level permissions read, write, and share to the Team Folder Accounts.
  • The Sales Group has the share permissions read, write, and share to the Team Folder Accounts.

  • The Team Folder MillerAcct inherits the permissions from the Team Folder Accounts.
  • SalesUser1 is given the share permission read to the Team Folder MillerAcct
  • SalesUser1's effective (actual) permissions to the Team Folder MillerAcct are read, write, and share permission.
  • SalesUser2's effective (actual) permissions to the Team Folder MillerAcct are read, write, and share permission.




How folder permissions affect copy and move actions

In some cases, combined share and folder-level permissions on folders limit whether copy and move for files or folders and copy file or folder and move file or folder in automated (user) workflows are permitted. In the scenarios in the following table, copy and move or move only is not allowed, and if you attempt to perform the action an error message is returned.


1View-NOT allowedNOT allowed
2View+Download-allowedNOT allowed
3ViewReadNOT allowedNOT allowed
4View+DownloadReadallowedNOT allowed