Enable Folder-Level Permissions

In many sharing scenarios, administrators are required to configure granular folder permissions. This feature provides a way to allow some actions on a parent, or top-level folder, while restricting those actions on a specific sub-folder.

Folder-Level Permissions SupportFolder-Level Permissions Do Not Support

(tick)  Interaction with share permissions to apply the most restrictive permissions

(tick) Allow or restrict access by specifying a user's email account

(tick) Folders in Managed Storage

(tick) Permissions can be set by the owner of the folder

(error) Folders in Network Storage

(error) Permissions set by a user other than the owner

To enable users to set folder-level permissions:

To enable users to set folder-level permissions:

  1. In the admin portal go to Settings > Misc > General.
  2. Check the Apply Folder Level Security checkbox.
  3. Click Save.

By default, users are not allowed to set folder-level permissions, as it can increase complexity of sharing and access rights.

However, administrators can allow this behavior by:

  • Customizing the default global policy - which allows all users to set folder level permissions
  • Creating a user-specific policy - which allows a specific user(s) to set folder level permissions (this can also be used for groups)

Customize the Default Global Policy

You do not have to create a new policy to allow all users to set folder-level permissions.

You can just edit the Global Default policy. 


To grant all users the ability to set folder-level permissions:

  1. Log into the admin portal.
  2. In the left navigation pane, under SETTINGS, click Settings.
  3. On the Manage Settings screen, select the Policies tab.
  4. On the Manage Policy tab, click the Global Default Policy row, and then click the edit button ().
  5. On the Policy Settings- Global Default Policy dialog, select the User Policy tab.
  6. In Allow Folder Level Security, select YES.
  7. Click Save.

Create a User-Specific Policy

You can either:

  • Create a new policy granting folder-level permission access and then add specific users to it
  • Create a policy for one specific user 

To create a policy granting rights to set folder-level permissions:

  1. Log into the admin portal.
  2. In the left navigation pane, under SETTINGS, click Settings.
  3. On the Manage Settings screen, select the Policies tab.
  4. On the Manage Policies tab, click the New policy button.
  5. In the New policy  dialog, in Policy Name, type in Allow Folder Permissions or something similar, and then click Create.
  6. On the Policies tab, in the Manage Policy section, click in the row of the policy you just created.
  7. To configure the policy, click the edit policy icon ().
  8.  On the Policy Settings dialog, select the User Policy tab.
  9. In Allow Folder Level Security, select YES.
  10. Click Save.

To add one or more users to the policy:

  1. On the Policies tab, in the Manage Policy section, click in the row of the policy you just created.
  2. Click the manage users icon ().
  3. On the Manage Policy Users dialog, in Available Users, select the user you want to grant folder-level permissions.
  4. To add the user to this policy, click the right arrow.
  5. Repeat steps 3 and 4 until you have added all the users you want.
  6. To save your changes, click Close.

(lightbulb) These same steps can be used to add Groups to the policy by clicking on the manage groups icon ().

Administrators can check to see which permissions are actually granted for access to a folder.

  • This is very useful when a user belongs to multiple groups or policies
  • This check can also help you troubleshoot access issues
  • This permissions check does not take into consideration any folder or file sharing permissions 

When you check for effective permissions on a folder, you will be able to see if a user has one or more of the following Folder-Level Permissions:

PermissionDescription
Read
  • Allows Downloading Files
  • Allows Previewing Files
Write
  • Allows uploading and modifying existing files
  • Allows creating files and folders
  • Allows renaming files and folders
Delete
  • Allows deleting files and folders
Share
  • Allows sharing files and folders
Manage
  • Allow managing folder-level permissions for this folder

To check a user's effective permissions:

  1. Log into the admin portal.
  2. In the left navigation pane, under MANAGE, click Folder Permissions.
  3. On the Manage Folder Permissions screen, click the row that contains the policy which allows folder-level permission.
  4. Click the edit button ().
  5. On the Manage Folder Level Security dialog, select the Check Access tab.
  6. In the box next to the user icon (), type in the user's email id for their FileCloud Server account.
  7. Click Check.

Once a user has the ability to set folder level permissions, after logging in to the User Portal,security tab will be available for their folders. 

To test setting folder-level permissions, follow the steps in the User Guide for Setting Permissions on a Folder.




Example scenarios

In this scenario, an administrator gives two groups access to a folder, but only gives one group access to one of its sub-folders.

Example of giving permissions to only specific users or groups

In this example, the folder Projects in the path TeamFolder_01/TESTFILES is only shared with the groups: 

  • ProjectManagers
  • ProjectTeam

Only the group ProjectManagers is given access to the subfolder Project_0001/finance.




To accomplish this, the administrator:

  1. Shares the folder Projects with the ProjectManagers and ProjectTeam groups only.


  2. Configures permissions on the finance subfolder:

    1. Gives permission to the ProjectManagers group only.


In this scenario, an administrator sets different permissions on parent and child folders.

Example of a Sharing Scenario



In this example, Folder1 is shared with Read and Write permissions to the following users:

  • John
  • Joe
  • Jane

This means all three users can:

  • Read files in Folder1 
  • Write files in Folder1

In this example, the administrator wants allow only John access to the subfolder, Folder2, but wants to give all three users access to the subfolder, Folder3.

The administrator therefore wants the folder access to be the following:

  • Folder1 - accessible to John, Joe, and Jane
  • Folder2 - accessible to John
  • Folder3 - accessible to John, Joe, and Jane

To accomplish this, the administrator:

  1. Shares Folder1 with all three users, and gives them read (view) and write (upload and delete) access.

  2. Creates folder-level security permissions for the two users who will not have access to Folder2.
  • Joe- deny all access to Folder2
  • Jane- deny all access to Folder2

 When John, Joe, and Jane access the parent Folder1:

UserFolder1Folder2Folder3 
John

(tick) See it listed

(tick) Access its content

(tick) See it listed

(tick) Access its content

 (tick) See it listed

(tick) Access its content

Joe

(tick) See it listed

(tick) Access its content

(error) See it listed

(error) Access its content

(tick) See it listed

(tick) Access its content

Jane

(tick) See it listed

(tick) Access its content

(error) See it listed

(error) Access its content

(tick) See it listed

(tick) Access its content

How a user sets folder permissions

Once a user is permitted to set folder-level permissions, they can select a folder's checkbox and click the Security tab in the right panel and click Manage Security to open the Manage Folder Level Security checkbox.

They can then add users and select one or more of the following folder-level permissions:

PermissionDescription
Read
  • Allows Downloading Files
  • Allows Previewing Files
Write
  • Allows uploading and modifying existing files
  • Allows creating files and folders
  • Allows renaming files and folders
Delete
  • Allows deleting files and folders
Share
  • Allows sharing files and folders
Manage
  • Allow managing folder-level permissions for this folder

See Set Permissions on Folders in the User Dashboard for more information.

Permission inheritance

In general, a folder can be in one of the following states:

  • The child, or sub-folder has all of the same permissions as its parent folder
  • The child, or sub-folder has all of the same permissions as its parent folder, plus additional permissions
  • The child, or sub-folder has all of the same permissions as its parent, minus additional permissions
  • The child, or sub-folder's permissions are not connected in any way to the parent folder and the sub-folder retains a seperate set of permissions

When setting folder-level permissions in FileCloud, you have the following options:

OptionDescription
(tick)  Inherit PermissionsPermissions set in this folder are exactly the same as the top level folder's permissions

(error)  Don't Inherit Permissions

Permissions set in this folder don't inherit from any top level folder's permissions and are specific to only this folder

Permission hierarchy

Folder-level permissions are evaluated in the following order:

  1. User's folder-level permissions for current folder (if it exists)
  2. Group's folder-level permissions for current folder (if it exists)
  3. Inherit permissions

    1. If enabled,  a search is continued along all parent paths until either:

      - user's folder level permission is set for any parent folder

      - group's folder level permission is set for any parent folder

(lightbulb)  When a user belongs to multiple groups and each group has conflicting permissions,  the effective permissions will be a composite of the permissions provided to each group.

For example: Jane belongs to Group1 and Group2.

  • Group1 has Read permission on FolderA
  • Group2 has Read and Write permissions on FolderA

Jane's effective permissions for FolderA are Read and Write.