How to restrict access to just Files, not Folders

[Guest]

I want to restrict access to users to be able to create, delete, modify
files, but not folders.
The security options are not granular enough that I can tell.
If I unselect Delete Subfolders and Files AND Delete, then folders cannot be
deleted, but either can files.
If I unselect just Delete Subfolders and Files, and leave Delete, then both
can be deleted. Same is true if just Delete Subfolders and Files is selected.

Any recommendations is requested and appreciated.

Thank you.

Tom Gibson

 

[Guest]

Did you use the "Apply onto:" drop down option to match the target object
such as:

"This folder only"
"This folder, subfolders and files"
"This folder and subfolders"
"This folder and files"
etc.

Another option "Apply these permissions to objects and/or containers within
this container only" may help as well (found at bottom of the same
permissions entry dialog box).

Do let us know if this helps. Thanks!

 

[Roger Abell]

Tom,
As Desmond has indicated you must use the selector in the
advanced editing view to set an ACE of modify so that it
applies to Files Only.
All of the security bits have meaning that can differ slightly
depending on whether an object (file) or container (folder)
is being considered. That is why you find that the same
checkbox is titled such as Delete Subfolders and Files
and it will have that effect as long as the ACE is set to
Apply to Subfolders and files or This folder, subfolders,
and files. If you need only the file interpretation then you
must set it so that it does not apply to folders.

 

[Steven L Umbach]

This should work. On the main security page give the group read/list/execute
to the folder. Then go into "advanced" permissions and add the group again.
Then select "folder and subfolder" in the apply onto box and check all the
permissions other than full control and change permissions. What many seem
to miss is that a user or group can be listed multiple times in advanced
permissions. --- Steve

 

[Guest]

to all: thanks for the quick responses.
I had selected the constraint of Files only, but then my users were not
permitted to traverse any subfolders.

I had missed the fact that users could be listed in the Advanced page more
than once. I shall have to try that.

My solution:
Authenticated Users: Traverse Folder / List access - This folder, subfolders
and files
Folder Admins: Modify - This folder, subfolders and files
Folder Users: Modify - Files only

Then I reset it for all objects below.
Now, when for each folder, the files have the permissions required. A user
can add, delete, modify any files. But to traverse the folders, they are
using the Authenticated Users permissions.

Thanks

 

[Steven L Umbach]

It looks like you pretty much did what I suggested with two different groups
though I believe I misunderstood your original post thinking that you wanted
to let users create/modify folders but not files for whatever reason. You
will find that you have great flexibility with advanced permissions and I
usually try to accomplish a configuration without using deny permissions
which tend to complicate things, particularly since an explicit allow
overrides an inherited deny. --- Steve

 

[Roger Abell [MVP]]

I am in total agreement on always finding a way to avoid using
a deny if at all possible.

There is something of an art in finding out how to set advanced,
aka special, permissions with the least frustration and re-attempts.
In example of this post, using only Users group for example, I would
1. set a grant of Modify for Users
2. go to Advanced and change the Modify grant to Files only
3. OK/Apply back to the generic permissions view, and there
set a grant of List folders
There are cases where doing the same things in a different order
causes what has been done to get wiped out because it is implied
in an ACE through which one only temporarily passes if using the
generic permissions dialogue. It can be very frustrating until one
catches on, but so can making sure all the individual checkboxes
of an advanced edit view are in place.

 

[Steven L Umbach]

I like that method! It does certainly simplify the task. Simple is good.
Thanks. --- Steve