On Fri, Nov 8, 2013 at 9:22 AM, Jim Majorowicz <[email protected]> wrote: > I've got a client that wants a specific setup for their files shares and I'm > struggling with getting it setup the way the want without applying the > permissions to every stinking folder in every share. Here's the example > folder structure. > > ShareRoot > | > |-Folder1 > | | > | |-SubFolder1 > > They want the users that have access to ShareRoot to have read/write access > to the SubFolder level without having the ability to modify, move or delete > the folders at the Folder level or delete any files in the ShareRoot folder, > but still able to modify the file in the ShareRoot folder and files in the > Folder level. > > I've tried explaining there are seldom good technical solutions for > behavioral problems, but they really don't care. They feel this should be > doable. > > I can set the permissions folder by folder, but they want to be able to > automate the permissions because the Folders do change over time and they > don't want to pay us every time they make a change, never mind that the > person who originally made this possible (and of course don't work there > anymore) used to just manually set the permissions practically at every file > level. (Cleaning this up has been a real nightmare.) > > The current permissions set on the ShareRoot look like this: > > ShareGroup - Read & execute - This folder only > ShareGroup - Modify - Subfolders and files only > > The problem I'm having is even with those permissions set, a user, albeit > accidentally, could still move and/or delete Folder level folders, although > they cannot rename them. Their access rights at the SubFolder level is > correct. > > If I change the Subfolder and files permission for the group to Read, write > & Execute, I then don't have the needed Modify permissions at the SubFolder > level, and to do that I then have to add the Modify - Subfolders and files > only permission on the Folder level folders, which doesn't meet their > requirement of not needing us in the future for this stuff. > > Is there any way I can make this work from the ShareRoot?
Yes, but you're going to have to go with more individual permissions. Specifically, I believe you're going to have to list some permissions as "files only" in ShareRoot - and you're likely going to have to experiment with them to tune it just right. I think you'll be seeing several permissions for the same users/groups, each with different restrictions in scope (Files Only, This Folder Only, This Folder and Subfolders, etc.). Kurt
