Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
shared/team/folders/access/controls [2019_10_29 17:54] stevenshared:team:folders:access:controls [2024_03_19 22:16] (current) – [Shared Team Folder Access Controls] steven
Line 1: Line 1:
 #Shared Team Folder Access Controls #Shared Team Folder Access Controls
  
-{{ youtube>9J6Zr-6OjaY?medium }}+#### Last updated: Aug. 17, 2022
  
-####Last updated: March 7, 2019 +The Access Anywhere admin, or a member who has the admin role, can manage access to any Shared Team Folder.  This means that they can control who has access to a Shared Team Folder and can grant access.
-The org. admin can manage access to any Shared Team Folder.  This means that he can control who has access to a Shared Team Folderand he can grant access to himself.+
  
-Any org.member who has been assigned a role that has the “manage Team Folders” permission can manage access to any Shared Team Folderand can grant access to himself.+Any organization member who has been assigned a role that has the “manage Team Folders” permission can also manage access to any Shared Team Folder and can grant access.
  
-An org. member to whom the “Manage Permissions” privilege has been assigned for a Shared Team Folder, either directly or because the org. member has been assigned a role that has this privilege, can manage access to that folder.+An organization member to whom the “Manage Permissions” privilege has been assigned for a Shared Team Folder, either directly or because the organization member has been assigned a role that has this privilege, can manage access to that folder.
  
-Access to each Shared Team Folder can be granted to individual org. members. Access to each Shared Team Folder can also be granted to roles, in which case the access privilege applies to every org. member to whom the role has been assigned, subject to these two rules:+Access to each Shared Team Folder can be granted to individual organization members. Access to each Shared Team Folder can also be granted to roles, in which case the access privilege applies to every organization member to whom the role has been assigned, subject to these two rules:
  
-1. Access privileges granted to the individual org. member supersede privileges granted to a role that has been assigned to the org. member.+1. Access privileges granted to the individual organization member supersede privileges granted to a role that has been assigned to the organization member. 
 +\\ \\  
 +2. When an organization member has been assigned two or more roles and the roles have different access privileges for a folder, the most permissive access level prevails.
  
-2. When an org. member has been assigned two or more roles and the roles have different access privileges for a folder, the most permissive access level prevails. +Each folder also has a default access level. This is the access level that is applied to organization members to whom no other access level has been assigned either directly or through a role.
- +
-Each folder also has a default access level. This is the access level that is applied to org. members to whom no other access level has been assigned either directly or through a role.+
  
 ##Inherited Permissions and Managed Folders ##Inherited Permissions and Managed Folders
-When a Shared Team Folder is created, either as a new folder or by converting an existing folder, any folders beneath that folder in the directory tree inherit whatever permissions are applied to that folder (but not necessarily the permission modifiers, which are discussed later in these notes).  If permissions are changed on the Shared Tea Folder then the folders beneath it inherit the changes.+When a Shared Team Folder is created, either as a new folder or by converting an existing folder, any folders beneath that folder in the directory tree inherit whatever permissions are applied to that folder (but not necessarily the permission modifiers, which are discussed later in these notes).  If permissions are changed on the Shared Team Folder then the folders beneath it inherit the changes. 
 + 
 +Unlike other solution permissions can be broken within the sub hierarchy of the tree. Permissions can be changed by a user with the appropriate authority on folders that are beneath a Shared Team Folder in the directory tree.  When this happens, the folder on which permissions were changed becomes what we term as a 'Managed Folder' At the moment that a folder becomes a 'Managed Folder' it stops inheriting access permissions from the folder above it in the directory tree, and changes to the permissions on its parent folder’s permissions no longer apply to the newly created Managed Folder. 
 + 
 +A new 'Managed Folder' allows no access to any users or roles except those granted by the user who created the 'Managed Folder' by changing a permission.   The new 'Managed Folder’s' default access level is copied from its parent folder at the time the Managed Folder is created and can be changed independently of the parent folder’s default access level. 
 +// // 
 + 
 +##Permission Modifiers 
 + 
 +Permission modifiers provide more granular control over permitted operations. This table summarizes how  the permissions modifiers are used: 
 +| **Modifier**      | **Applied To** | **Default Mode** | **Inherited** | 
 +| Create subfolder      | Read/Download + Write/Upload       | Enabled | Yes | 
 +| Upload files | Read/Download + Write/Upload | Enabled | Yes |  
 +| Rename files| Read/Download + Write/Upload | Enabled | Yes | 
 +| Move files| Read/Download + Write/Upload | Enabled | Yes | 
 +| Delete files| Read/Download + Write/Upload | Enabled | Yes | 
 +| Modify Structure | Read/Download + Write/Upload | Enabled | Yes | 
 +| Manage Trash | Read/Download + Write/Upload | Enabled | Yes | 
 +| Create shared links | Read/Download | Disabled | Yes |  
 +| Web View Only | Read/Download | Disabled | Yes | 
 +| List Folders | Read/Download | Disabled | Yes | 
 + 
 +This table summarizes what they do: 
 +| **Modifier** | **Meaning** | 
 +|Create subfolder|If this is enabled then user can create subfolders in the shared folder.| 
 +|Upload files|If this is enabled then the user can upload files to the shared folder.| 
 +|Rename files|If this is enabled then the user can rename files in the shared folder.| 
 +|Move files|If this is enabled then the user can move files to or from the shared folder.| 
 +|Delete files|If this is enabled then user can delete files from the shared folder.| 
 +|Modify structure|If this is enabled then user can, rename and delete descendant folders and the shared folder itself.| 
 +|Manage Trash|If this is enabled then the user can view, restore and destroy the contents of Trash for the shared folder.| 
 +|Create shared links|If this is enabled then the user can create shared links for the shared folder or any of its contents, consistent with organization policy.| 
 +|Web View Only|If this is enabled then the user can only view the shared folder's contents in the browser.  Copies and moves out of the folder, uploads to the folder, deletion of files in the folder and downloads of files in the folder are prohibited.| 
 +|List Folders|If this is enabled then the user can list and access the folders in the shared folder (consistent with permissions on those folders) but cannot list the files in the shared folder.| 
 + 
 +Some modifiers are mutually exclusive: 
 +  * //Create Shared Links// and //Web View Only// cannot be used together 
 +  * Neither //Create Shared Links// nor //Web View Only// can be used with //List Folders//.  
 + 
 +Please note that as of v2106.00, the Read/Download modifiers now inherit down to subfolders.  
 + 
 +The //Modify Structure// permission modifier is also new in version v2106.00.   It allows users to rename subfolders, and to delete  subfolders, their descendant folders and the shared folder itself.  It also makes the "Create subfolders" modifier available.  If that modifier is set then users can also create subfolders. 
 +\\ \\  
 + 
 +## Subfolder Access within Private Folder 
 + 
 +As an advanced example, how can we grant a user or group access to specific subfolders within a private subfolder? 
 + 
 +First, grant the use "List Folders" permission on any parent folders they don't have access to. This will allow the user to navigate to the subfolders they'll have access to, but not access any content. (If this is not desirable Business Groups or Shared Folders may be a better fit). If there are multiple parent folders recognize you can also use Permission Inheritance as described above. 
 + 
 +{{ ::shared:team:folders:access:controls:parent-folder-list-permission.png?nolink |}} 
 + 
 +Then grant access as desired for each of the subfolders. Note that any inherited permissions will be lost when the subfolder permission is added. If still needed they can be explicitly added to the subfolder as well. 
 + 
 +{{ ::shared:team:folders:access:controls:subfolderacccess.png?nolink |}}
  
-Permissions can be changed by a user with the appropriate authority on folders that are beneath a Shared Team Folder in the directory tree.  When this happens, the folder on which permissions were changed becomes a Managed Folder.  At the moment that a folder becomes a Managed Folder it stops inheriting access permissions from the folder above it in the directory tree, and changes to the permissions on its parent folder’s permissions no longer apply to the newly created Managed Folder.+You can also disable "List Folders" access for other subfolders within that parent folder (or other parent folders):
  
-These permission modifiers are inherited by unmanaged subfolders+{{ ::shared:team:folders:access:controls:other-subfolders.png?nolink |}} 
-  * List Only +\\ \\ 
-  * Web View Only +
-  * Can Share Files+
  
-These permission modifiers are not inherited by unmanaged subfolders: +## Special Behaviour for Members With Certain Roles 
-  * Subfolder create disabled +Org. members who have been assigned the Admin role or a role that allows both managing Shared Team Folders and managing Team Clouds will see Shared Team Folders that were created by other members and to which the member with the relevant role was granted access either in the root directory of the org. member with the role or inside the provider on which the shared team folder was created depending on how the directory tree is navigated.  
-  * Upload disabled +// // 
-  * File rename disabled +## Web View Only / DLP Access permissions
-  * File move disabled+
  
-new Managed Folder allows no access to any users or roles except those granted by the user who created the Managed Folder by changing a permission  The new Managed Folder’s default access level is copied from its parent folder at the time the Managed Folder is created and can be changed independently of the parent folder’s default access level.+combination of Web View only access permissions combined with document watermarking provides effective Data Loss Prevention for sensitive documents 
 +## Shared Team Folders Permissions Report 
 +Org. admins can create [[shared/team/folders/permissions_report|reports]] showing the permissions that have been granted on Shared Team Folder.