|
Posted by Roger Abell [MVP] on November 20, 2007, 9:48 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi Roger, thanks for replying.
>
> No, members of Users are not to have the same permissions for "working"
> and
> "completed". As I said, both "working" and "completed" inherit from
> "root_folder", except "completed" has an extra explicit Deny permission on
> top of what's inherited. The purpose of this deny permission is to
> explicitly
> deny everything but read access to Users members in "completed".
>
OK, but I was hoping for a positive statement of what they should have.
So, it appears that Users should have ability to define new things in
Working and to modifiy them, but that they should have only read/list
on those once they are in Completed.
> I'm aware that Creator/Owner permissions kick in as soon a member of Users
> creates a folder in "working", and then moves it to "completed". This is
> why
> I put the Deny permission in place on "completed" - to explicitly override
> that. In fact, with it being the only explicit Deny permission, it should
> override all Allow permissions of each folder in "completed" - and it
> does.
Not really. It does not work that way.
An inherited deny will only override conflicting grants that are
set at the same or a higher level in the directory tree. It will not
override a grant set at a lower level (closer to the object under
consideration). Hence, the Creator/Owner grant causes a explict
grant to Username on the object they create, and this grant moves
with the object when it is moved to Completed, and this grant then
overrides the inherited deny.
> However, instead of affecting just members of the Users group, this Deny
> permission also affects members of the Administrators group, for no
> apparent
> reason. That is, members of the Administrators group are also denied
> everything except read access to the "completed" folder - even though the
> permission is set only for the Users group.
>
Your members of Administrators are obviously considered to
effectively be members of Users
At a cmd prompt, if you issue
net localgroup administrators
what is the result ?
As stated in reply of other thread, your Users group likely has
either Authenticated Users or Interactive in it. If you remove
these you need to be careful about what they are accomplishing
so that you replace what of that is needed with some other
memberships. However, if you approach this without use of
Deny, which I would recommend, then Administrators being
effective members of Users becomes a non-issue for this issue.
> I want to be able to have a folder in "working" with full access to Users,
> and then have an Administrator to move it to "completed", and by doing so,
> automatically make the folder as read-only to Users. I want Administrators
> to
> retain full control over both folders at all times.
>
Here is what I would suggest.
On Working set
Administrators Full
Users Modify
and nothing else and nothing inherited from parent of Working.
On Completed set
Administrators Full
Users Read/List
and nothing else and nothing inherited from parent of Completed.
With those permissions there will be no explict permissions on
objects withing either Working or Completed. Hence a move
from Working to Completed will result in the moved object then
having only the permissions inherited from Completed.
If there are any permissions set directly on the moved object
those will move with it. That is (part of) what is giving you
problems.
Roger
> Thanks again for the help.
>
> --
> dima
>
> "Roger Abell [MVP]" wrote:
>
>> So are Users members to have the same permissions on
>> things in Working as in Completed?
>> You not not state.
>>
>> Your issue is in part that there is a special grant to Users
>> that lets them create new things, at which point the grant
>> to Creator/Owner kicks in an grants that account Full.
>>
>> Given that Working and Completed are on the same partition
>> you should copy from Completed to Working, not move.
>> A move within a partition for Windows up through W2k3
>> takes along permissions that are explicitly granted on the
>> moved.
>>
>> Tell us what you want Working to allow to Users and then
>> we can get you going.
>>
>> Roger
| 
XML site map