Our current instance of Sitecore (8.2) is set up with one main website and multiple sub-websites. Each sub-website has their own set of users/roles and a folder in the media library. Initially every role has full access to every folder and you must deny certain access (write, create, rename, and delete) manually for each folder for each role. For every new folder that is put into the media library, you must then go back to all the current/older roles and update their permissions (denying the write, create, rename, and delete access) manually for each new folder.
We are looking to simplify this solution so each current/older role is denied permissions automatically for each new folder added and each new role is automatically denied permissions to all current/older folders.
How would this be possible?
Try to avoid denying access, it's not a good practice.
In a clean Sitecore install the role "Sitecore Client Authoring" is given modify permissions on all descendants of the media library root folder. If you remove this role from the root folder, all users will be denied access to all sub folders. Now you can add modify permissions (write, create, rename and delete) for each folder, only for those roles who need access to it.
Related
Using Windows Server 2008 version R2 Standard / Service Pack 1.
I have a shared folder containing the home folders of users. This is called user$.
I have the following share permissions on user$: Everyone: Read/modify
I have the following file permissions on user$:
CREATOR OWNER: Deny: Change permissions and take ownership: Subfolders and files only.
CREATOR OWNER: Allow: Everything except take ownership and change permissions: Subfolders and files only
SYSTEM: Full control: This folder, subfolders and files.
BUILTIN\Administrators: Full control: This folder, subfolders and files
Domain Users: Allow: Traverse, list, read, read attributes, read permissions, create folders: This folder only
I have applied this to the user$ share and replaced all child permissions with inheritable entries. So why do users still have permission to change permissions? Take ownership is not allowed and seems to work as expected.
The reason I need to do this is because something (still unknown) is changing the permissions in a way that makes the files inaccessible to users and messing up a lot of processes. This seems to happen randomly on a daily basis to about 5-10% of users.
Thank you.
The Owner has an implict Read and Change permission access and has precedence over Deny permissions.
Check the effective access rights of an user to the file.
I suggest you enable Permission change auditing and see what is causing the issue.
Is there a way to create or set permissions on a Google Drive folder that allows users to create or upload files to the folder, but not create additional nested folders? Ultimately I would like users to be able to add files to folders, but not change the overall folder structure.
I've been able to set the role of the user for a folder:
https://developers.google.com/drive/api/v3/reference/permissions/create
However, once I give "writer" permission to a user they are able to both upload files and create folders.
https://developers.google.com/drive/api/v3/manage-sharing
Unfortunately, the permission and role functionality combined with the structure of Drive don't allow for the ability to allow users to upload and edit files without also allowing them to change the apparent folder structure of the Drive.
As stated on the Google Drive REST API Documentation about Permission structures in Drives, a file's permission consists of four parameters:
Permission Type (user/group/domain/anyone)
Email Address accociated with the permission
Domain that has access to the permission
Role
There are only 5 assignable roles for file permissions, as can been seen in this table:
Additionally, Google Drive doesn't use a file system, and in actual fact folders in Drive are just files with MIME Type application/vnd.google-apps.folder. You can see this by querying the MIME Type of a folder ID or on the Drive Supported MIME Types reference.
I'm trying to create a project structure that has a shared folder and a private folder. Everyone has access to the shared folder and everyone in the group has access to only their private folder. Whats the best way to do this ?
According to Google Drive Files and Folder Permission you can set the level of the availability of your files and folders.
Types, roles and values: how the permissions work
Lists of permissions are available for each file and folder in Drive.
Each permission specifies a type, role, and emailAddress or domain,
permitting a level of access to a file or folder. These values work
together to limit the access appropriately. The type limits access to
a set of users. The email address and domain fields specify which
users can have access. Finally, the role gives these users the ability
to do something to the file, like read it. When combined, these
properties define a complete permission.
I have a VB.NET application that creates folder trees and sets permissions.
I want the permissions on the folders the app creates to be read only for a normal user. But I want a user to be able to create and delete files/directories within this tree that they have made.
The problem I'm running into is the files/directories the user creates have the same permissions as the parent directory (Windows umask is to copy parent dir).
So either the user has too much power and can delete folders from the tree the app made. Or the user doesn't have enough power and can't delete a file/folder they created within the app created directory tree.
I haven't been able to solve this with ACL Propagate and Inherit properties:
VB.NET app is setting restricted file permissions on a directory, which is incorrectly restricting user created files in the same directory
Any ideas or another way to attack this problem?
Thanks, Mike
I have a shared folder in my network where a lot of users access and store their documents. I'm admin of this shared folder and I've denied delete permissions for all other users.
The problem starts when a user creates a new folder and tries to rename it.
Windows says "Access denied"
I'm assuming that this might be because I've denied delete permissions for that user.
(Since Rename=Delete+CreateFolderWithNewName)
Is there any way so that I can keep the delete permissions intact, and allow the user to rename his files/folders?
Or any other workarounds?
I'm using Windows Server 2008 and NTFS file system.
As suggested, you should look into the folder design / your setup.
A kind of Work around, is to give "Delete" and "Delete subfolders and files" rights to "CREATOR OWNER", then the creator of the file or folder is able to rename (and delete) his own files/folders.
Maybe you could Schedule a nightly powershell script (not privided) which takes ownership of all files and folders, to restrict owners from future renaming/deletion of files
If they creating in the shared folder it will inherit the permissions of the shared folder. You would need to break inheritance and allow delete permissions on the sub folder to achieve what you want.
There are two managable solutions if there are alot of folders created in the root.
Write a service/application to do that for you.
Create a series of folders (perhaps person/team based) in the folder, change the permissions on them and tell users to store files in there.