|
Posted by =?Utf-8?B?Um9ja2l0bWFu?= on August 9, 2008, 1:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Finally!! Somebody has explained this so that I can understand!! Thanks a
million Roger, it makes crystal clear sense now!!
"Roger Abell [MVP]" wrote:
> A user must have both share level and filesystem level permissions if they
> are to access over the network.
> When they are logged in locally only the filesystem permissions are needed.
> When they access over the network they can do anything that the filesystem
> allows to them provided that the share level permissions are not less.
> For example, your scenario had a couple of categories of users, but none
> of them will be setting permissions, so they will not use permissions
> greater
> than change (i.e. full). If the filesystem set things so that your
> categories of
> accounts could do exactly and only what you want when logged in locally,
> then granting them change at the share level would let them do everything
> they are allowed at the filesystem (but nothing else as the filesystem will
> not allow it). If at the share level you were to only give them read, then
> even though the filesystem would let them do more they could not do any
> more then read when the access is over the network.
> The share level permissions set an upper limit on what can be done over
> the network, provided that the filesystem allows it. The share level
> permissions never cause an account to be able to do more than the
> filesystem allows to the account.
> In your scenario you want one category of account to be able to have
> "read and file scan rights". I am not sure what you mean by the second.
> If you want then to be able to read files and browse the folder structure
> then you would grant then List and Read on the filesystem, and you
> would grant them at least Read at the share level.
> The other category is not quite as simple. If you had not say they
> should not be able to delete then at the uppermost folder you could just
> grant them List and grant them Modify Subfolders and Files (you need
> to click advanced after you grant Modify in order to reduce it from
> This folder, subfolders and files to just Subfolders and files)
> In order for this category of user to use all of their filesystem perms
> over the network they would need at least Change share level perms.
> Now, you said they should not be able to delete. You can accomplish
> that a couply ways. One is to use the advanced view of the filesystem
> perms just described and remove the check mark on the deletes.
> However this might not be what you expect as some things, like
> renames, actually require delete.
>
> Roger
>
>
> >I am trying very very hard to understand all of this and am failing
> >miserably.
> >
> > I have a d: drive. I have created a folder called docs. I want group A
> > to have read and file scan rights to this folder and all of it's
> > subfolders.
> > I also have a user, who will be responsible for creating folders under
> > this
> > Docs folder, placing files in these folders, and possibly renaming them as
> > well as the folders themselves, in case she makes a mistake. I just don't
> > want her to have any delete rights.
> > So, with this scenario, can you please explain in detail how I would go
> > about doing this? Please explain in DETAIL. Do I need to create a
> > share?
> > Why?? "S. Pidgorny <MVP>" wrote:
> >
> >> There are also prmissions on file system. Permissions on share only
> >> controls
> >> and potentially limit operations through the network sharing mechanism;
> >> permissions on file system are required as well.
> >>
> >> Thisnk of share permission as a visa. In any country, there are citizens
> >> that don't require a visa (full control), those who come with visas
> >> (read),
> >> and people without visas or on a blacklist (both have no access).
> >> However,
> >> when they are already in the country, different controls apply.
> >>
> >> --
> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> >> -= F1 is the key =-
> >>
> >> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
> >>
> >> >I have a folder that I've created a share on. How come there are more
> >> > security permissions than share permissions?
> >> >
> >> > I don't understand this stuff. I want a group to be able to write
> >> > files
> >> > to
> >> > the directory but if I give them Write rights in Security it doesn't
> >> > work.
> >> >
> >> > When I go to share permissions, there are very limited rights
> >> > available,
> >> > Full Control, Read, and Change. Where are the write rights??
> >>
> >>
> >>
>
>
>
| 
XML site map