Shared Team Folder Access Controls
Last updated: July 16, 2021
The org. admin can manage access to any Shared Team Folder. This means that he can control who has access to a Shared Team Folder, and he can grant access to himself.
Any org.member who has been assigned a role that has the “manage Team Folders” permission can manage access to any Shared Team Folder, and can grant access to himself.
An org. member to whom the “Manage Permissions” privilege has been assigned for a Shared Team Folder, either directly or because the org. member has been assigned a role that has this privilege, can manage access to that folder.
Access to each Shared Team Folder can be granted to individual org. members. Access to each Shared Team Folder can also be granted to roles, in which case the access privilege applies to every org. member to whom the role has been assigned, subject to these two rules:
- Access privileges granted to the individual org. member supersede privileges granted to a role that has been assigned to the org. member.
- When an org. member has been assigned two or more roles and the roles have different access privileges for a folder, the most permissive access level prevails.
Each folder also has a default access level. This is the access level that is applied to org. members to whom no other access level has been assigned either directly or through a role.
Inherited Permissions and Managed Folders
When a Shared Team Folder is created, either as a new folder or by converting an existing folder, any folders beneath that folder in the directory tree inherit whatever permissions are applied to that folder (but not necessarily the permission modifiers, which are discussed later in these notes). If permissions are changed on the Shared Team Folder then the folders beneath it inherit the changes.
Permissions can be changed by a user with the appropriate authority on folders that are beneath a Shared Team Folder in the directory tree. When this happens, the folder on which permissions were changed becomes a Managed Folder. At the moment that a folder becomes a Managed Folder it stops inheriting access permissions from the folder above it in the directory tree, and changes to the permissions on its parent folder’s permissions no longer apply to the newly created Managed Folder.
A new Managed Folder allows no access to any users or roles except those granted by the user who created the Managed Folder by changing a permission. The new Managed Folder’s default access level is copied from its parent folder at the time the Managed Folder is created and can be changed independently of the parent folder’s default access level.
Permission modifiers provide more granular control over permitted operations. This table summarizes the permissions modifiers:
|Modifier||Applied To||Default Mode||Inherited|
|Create subfolder||Read/Download + Write/Upload||Enabled||Yes|
|Upload files||Read/Download + Write/Upload||Enabled||Yes|
|Rename||Read/Download + Write/Upload||Enabled||Yes|
|Move||Read/Download + Write/Upload||Enabled||Yes|
|Delete||Read/Download + Write/Upload||Enabled||Yes|
|Modify Structure||Read/Download + Write/Upload||Enabled||Yes|
|Manage Trash||Read/Download + Write/Upload||Enabled||Yes|
|Create shared links||Read/Download||Disabled||Yes|
|Web View Only||Read/Download||Disabled||Yes|
Some modifiers are mutually exclusive:
- Create Shared Links and Web View Only cannot be used together
- Neither Create Shared Links nor Web View Only can be used with List Only.
Please note that as of v2106.00, the Read/Download modifiers now inherit down to subfolders.
The Modify Structure permission modifier is also new in version v2106.00. When it is applied to a folder it prevents users from creating or renaming a subfolder, and from deleting subfolders, their descendant folders and the folder itself.
Subfolder Access within Private Folder
As an advanced example, how can we grant a user or group access to specific subfolders within a private subfolder?
First, grant the use “List Only” permission on any parent folders they don't have access to. This will allow the user to navigate to the subfolders they'll have access to, but not access any content. (If this is not desirable Business Groups or Shared Folders may be a better fit). If there are multiple parent folders recognize you can also use Permission Inheritance as described above.
Then grant access as desired for each of the subfolders. Note that any inherited permissions will be lost when the subfolder permission is added. If still needed they can be explicitly added to the subfolder as well.
You can also disable “List Only” access for other subfolders within that parent folder (or other parent folders):
Special Behaviour for Members With the Admin Role
When an org. member who has been assigned the Admin role first encounters a particular shared team folder that was created by another member, the folder will appear in the root directory of the org. member with the Admin role. When that member navigates to the folder representing the provider on which the shared team folder was created, the folder will become visible on that provider and will no longer be visible in root.