Permissions Question
Rulkiewicz
Member Posts: 29 ■□□□□□□□□□
If a user account has Read to a shared folder, and the group he belongs to has Change, does this accumulate? Would he have Change, or Change AND Read?
Because if you can Change, you can already read.
Also, about NTFS permissions, if a user has the NTFS permission Read, and the group he belongs to has modify, does he have Read AND Modify, or are his effictive permissions Modify?
Because if you can Change, you can already read.
Also, about NTFS permissions, if a user has the NTFS permission Read, and the group he belongs to has modify, does he have Read AND Modify, or are his effictive permissions Modify?
Comments
-
Mishra
Member Posts: 2,468 ■■■■□□□□□□
Change permissions includes the read permissions. You actually can't select change and unselect read. So yes, if the user as read access one way, he has read. If the user as read access one way and change the other way, he has change. If the user has read one way, change another way, and full control yet another way, the user will have full control access.
Modify is the same thing, it includes read. -
Rulkiewicz
Member Posts: 29 ■□□□□□□□□□
I was thrown off by this example:
Multiple Shared Folder Permissions Combine: A user’s effective permissions for a resource are the sum of the Shared Folder permissions that you assign to the individual user account and to all of the groups to which the user belongs. In other words, if a user has Read permission for a folder and is a member of a group with Change permission for the same folder, the user has both Read and Change permissions for that folder. -
royal
Member Posts: 3,352 ■■■■□□□□□□
You have Share Permissions
You have NTFS Permissions
All your Share Permissions are cumulative
All your NTFS Permissions are cumulative
It then takes the most restrictive and assigns those as effective permissions. Think of it as a competition of Share vs NTFS. Share will gather as many teammates as possible (cumulating permissions). NTFS will also gather as many teammates as possible (cumulating permissions). Share and NTFS will then duke it out. The toughest (most restrictive permissions wins).
So lets say you have a user named John. John has ntfs Read. John is a part of the Sales Group. The sales group has Write. Because John has Read and is a part of the Sales group, he effectively has Read AND write. This means if John accesses the file system via console and goes to My Computer > C > bleh bleh and accesses that folder/file, he will be able to read AND write.
Now lets keep those ntfs permissions on that folder, but now lets share it out. By default, the Everyone group has read access to that share and that is all. Now lets say John instead goes to \\server\folder. He will be ONLY be granted Read access and will not be able to write. Why? Even though his ntfs permissions are Read/Write, he is restricted due to the Share permissions being more restrictive. Remember, it is Share vs NTFS. Share has more restrictive permissions (Everyone Read only, there is no Write there).
In real world, generally speaking, you'll just assign Share permissions to Everyone/Full Control. You will then restrict people's access via NTFS permissions.
Hope this helps.“For success, attitude is equally as important as ability.” - Harry F. Banks -
Mishra
Member Posts: 2,468 ■■■■□□□□□□
Rulkiewicz wrote:Thanks for the clarification.
Rulk,
The best way you are going to understand this whole process is if you try it yourself. Make a user on your desktop called Test. Use that user to setup permissions to a folder. Log off and back on with the Test user and see what you can do with the folder. You can also map the shared folder you created using the "different user name" link when you click "map network drive". You can map the drive with your administrator account while logged in as the test user. This way you can change the permissions of the folder using the newly mapped drive, then go back to your C: drive and try the folder which will try it with the test user's ACL permissions.