As soon as I take away EVERYONE from the root folder (Company Home) in alfresco, some custom webscripts stop working and respond that this folder cannot be found. I would like to give a subset of EVERYONE (eg GROUP_A) permission from the rootfolder down. The "normal" usage of alfresco through Share keeps working when I do just that, only the webscripts give me some trouble. There are answers like this one:
Alfresco openCMIS connect to home folder
But that's just a workaround. Maybe some kind of system user needs to have permissions on the root folder?
I think this is a similar question: Alfresco webscript can't find Company Home folder
The most clear answer is (depends on which version you are) that the webscripts, CMIS & Java code need to know the path of the node you are in.
In Previous Alfresco versions even in Share a user needs to have Consumer rights on the parent folder otherwise the breadcrum would fail to load and other issues.
In 4.2.x if you retrieve a document/folder and you as user don't have rights on one of the parents folders OpenCMIS code breaks. This will/should also happen on some webscripts.
A user needs rights on the template folders within Data Dictionary, so it's good to keep the EVERYONE group on Data Dictionary.
Related
I have a "Root" project that has both a TFVC "repo" and some GIT repos. Using VS2019 and a folder in the TFVC path, I added a new sub folder and added some files in to the new folder. I checked them in. Made some file changes and checked them in. In VS2109, checking the history at the root shows changesets for everything not related to my new folder. A find on the changeset 17 shows nothing.
If I go to the portal, I can see the changesets there in the Contents tab. They have my name on them. However, I do not have permission to see the changeset details. There is no history in the History tab. I created the organization and I'm the admin.
I can get the history and changeset details in another folder in the same parent folder.
Any idea what I'm doing wrong?
Okay, found the issue - PEBKAC. I created a vendor group with access only to the folder for the project the vendor is working on. In TFS this can be a pain because they need read access to traverse the folder path to their folder. I granted the group access at the root. Then I denied read access on every sub-folder below the root except for the one the vendor requires. It appears that I, as the administrator of the group, got added to the group automatically...and the deny took precedence. After I removed myself from the group I had access again.
Deny is always something to be avoided if at all possible because it takes precedence. I don't know how to avoid it. Just glad I did deny myself access to fix it - hope that's not possible as the org owner.
The oddity of having access to some folders and not others was because I had not completed setting the deny read in those folders.
recently I have created a share folder (in windows8) in my organization where everyone has to submit their work. But later I found some one deleting files of others.
From now onward I want keep an eye on the shared folder. Is there any way to save the logs in shared folders. I tried using windows event logs but I am not able to find what I want.Please some one help me.
Windows may log certain authentication events in the Security event-log, however this will only contain useful information if you used local user accounts and gave each person their own local user account (but if you did that, you could prevent them from deleting each others' files).
However Windows does not log SMB share file activity. The Shares list in MMC/Computer Management only lists currently active/open shares too.
All I can suggest is to avoid this from happening in future by either tightening security by creating user-accounts for each person and giving them their own shared directory which only they (and you) have write-access to. Another alternative is to have a program running in the background on your computer that monitors the shared folder for new files and when it detects a file has been placed it moves it away to an inaccessible directory elsewhere.
I have a VB.NET application that creates folder trees and sets permissions.
I want the permissions on the folders the app creates to be read only for a normal user. But I want a user to be able to create and delete files/directories within this tree that they have made.
The problem I'm running into is the files/directories the user creates have the same permissions as the parent directory (Windows umask is to copy parent dir).
So either the user has too much power and can delete folders from the tree the app made. Or the user doesn't have enough power and can't delete a file/folder they created within the app created directory tree.
I haven't been able to solve this with ACL Propagate and Inherit properties:
VB.NET app is setting restricted file permissions on a directory, which is incorrectly restricting user created files in the same directory
Any ideas or another way to attack this problem?
Thanks, Mike
I am new to Joomla and have been given the task of supporting a site that was created in Joomla 1.5.25. They keep getting errors that files are not writable. They also can't add or delete anything to and from the media manager even in a Super Administrator account. I was able to override these errors with changing folder permissions from 755 (Joomla's recommended permission set) to 777, but was wondering if there is a better way of going about this (I don't want to leave a security hole on their site with the 777 permission set). From what I have read through my research is Joomla permissions requirements can vary based on your hosting company, so I want to get other peoples input before I give my hosting company a call.
On a side note, is there a way of getting the error messages to display longer then 2 seconds?
Why don't you try changing the permissions only to the folders that are written to temporarily? Another solution is to find out under which user apache is running and make sure that user is the owner or at least in a group that owns your Joomla! directory.
When an ASP.NET application is running under IIS6.0 in Windows 2003 Server with impersonation, what user account is relevant for deciding file read/write/execute access privileges? I have two scenarios where I am trying to understand what access to grant/revoke. I thought the most relevant user is probably the identity specified in the Application Pool, but that doesn't seem to be the whole story.
The first issue concerns executing a local batch file via System.Diagnostics.Process.Start()--I can't do so when the AppPool is set to IWAM_WIN2K3WEB user, but it works fine if it is set to the Network Service identity. I of course made sure that the IWAM user has execute rights on the file.
The second involves writing to a file on the local hard drive--I'd like to be able to prevent doing so via the access control list via folder properties, but even when I set up all users in the folder as "read" (no users/groups with "write" at all), our ASP.NET still writes out the file no problem. How can it if it doesn't have write access?
Google search turns up bits and pieces but never the whole story.
what user account is relevant for [..] file read/write/execute access
As a rule: Always the user account the application/page runs under.
The IWAM account is pretty limited. I don't think it has permissions to start an external process. File access rights are irrelevant at this point.
If a user account (Network Service in your case) owns a file (i.e. has created it), it can do anything to this file, even if not explicitly allowed. Check who owns your file.
Process Monitor from Microsoft is a great tool to track down subtleties like this one.
A bit more searching reveals that the IWAM user isn't that well documented and we should stick with NETWORK SERVICE or a manually-supplied identity if we want to specify permissions for that user.