4.5 Rights to Files and Folders
Filr users must have the required rights to access files and folders through Filr.
4.5.1 Access Is Always Controlled by the File System
As already explained, access through Filr involves one of four possible roles.
For users to have Viewer, Editor, or Contributor rights through Filr, they must have the minimum rights that those roles require, as outlined and illustrated in the following sections.
Filr Roles and NSS File System Trustee Rights
For eDirectory users to function in Filr roles, they must have the NSS rights illustrated and explained in Table 4-2.
Table 4-2 NSS File System Rights and Filr Roles
|
Role and Minimum NSS Rights Required |
Comments |
|---|---|
|
Read and File Scan are the minimum file system trustee rights that users must have to view files and folders. |
|
If the Write file system trustee right is added to Read and File Scan, users can then modify file content. |
|
To perform contributor functions, users must either have all file system trustee rights to the file or folder (except for Access Control) or the Supervisor right to the file or folder. You might ask why Access Control isn’t listed. That is because it has no effect. Although users can provide access for other users through Filr sharing, that functionality is enabled by the file system rights of Net Folder proxy users. Filr shared access is independent of any file system rights that users have or do not have. |
Filr Roles and NTFS Permissions
For Active Directory users to function in Filr roles, they must have the NTFS file system permissions illustrated and explained in Table 4-3.
Table 4-3 NTFS Permissions and Filr Roles
|
Role and Minimum NTFS Permissions Required |
Comments |
|---|---|
|
Read, Read & Execute, and List Folder Content are the minimum basic permissions that users must have in order to view files and folders. The default special permissions associated with these basic permissions are also required. |
|
If the basic Write permission is added, users can then modify file content. The default special permissions associated with these basic permissions are also required. |
|
To perform contributor functions, users must either have the basic Modify permission added, or they must have the basic Full Control permission. The default special permissions associated with these basic permissions are also required. |
Role Requirements Are Rigidly Enforced
The NSS and NTFS requirements set forth in Table 4-2 and Table 4-3 are very rigid.
For example, Figure 4-2 shows that if the NSS write right is missing, the user can only function as a viewer, even though all of the Contributor-specific rights are present.
Figure 4-2 Missing Write right limits to only Viewer role
Figure Figure 4-3 shows that if the Read & Execute privilege is missing, the user has no Filr role, even though all of the other permissions are present.
Figure 4-3 Missing Read & Execute privilege prevents access through Filr
4.5.2 My Files (Personal Storage)
Users automatically have all access rights to the Filr-based personal storage assigned to them.
Figure 4-4 Filr users have all rights to their personal storage through My Files
For more information regarding My Files, see Section 9.0, My Files (Personal Storage).
4.5.3 Home Folders
Users should have all rights to their server-based home folders.
|
Letter |
Details |
|---|---|
|
Although it is certainly possible that an administrator might choose to limit the file system rights to a home folder, that would seem to defeat the whole purpose behind providing home directories in the first place. Of course, rights restrictions are completely separate from limiting the available file storage space. In all cases, if there are file system restrictions, Filr always honors them. |
4.5.4 Net Folders
Users who are granted access to a Net Folder are not restricted by Filr. The file system of the target folder retains complete access control. The level of rights that users have through Filr depends on the role they have, as explained in, Access Through Filr Involves One of Four Possible Roles.
Figure 4-5 Users’ effective rights to Net Folders are controlled by the file system where the Net Folder resides and the Filr role that these rights qualify them for
|
Letter |
Details |
|---|---|
|
|
User Blue is granted all rights to the NSS-based projects folder, except the Erase right (green bar). |
|
Because User Blue doesn’t have the Erase right, Filr assigns the Editor role. This means that even though Blue has Create (blue) and Modify (purple) rights on the file system, and could exercise them through a file browser, such as Windows Explorer, Filr functionality is limited to editing files within the projects folder. |
For more information, see Section 10.5, Granting Access to Net Folders.
4.5.5 Filr Attributes Are Always Honored
Figure 4-6 File attributes affect functionality in home folders
|
Letter |
Details |
|---|---|
|
|
User Blue is granted all rights to an NSS-based home folder. |
|
|
User Blue applies the Read-only attribute to one of the files in the home folder to ensure that it doesn’t get modified by mistake. |
|
A few weeks later, Blue opens the file and tries to change it. The file system doesn’t allow this because of the file’s Read-only attribute. Of course, Blue could remove the attribute using a file browser, such as Windows Explorer, and then modify the file. Filr always honors the file system. As long as the file is Read-only, it cannot be modified through Filr. |
Figure 4-7 File attributes also affect functionality in Net Folders
|
Letter |
Details |
|---|---|
|
|
As shown in Figure 4-5, Blue doesn’t have Erase rights on the projects folder. |
|
|
Therefore, Blue only qualifies for the Filr Editor role. |
|
|
The project leader maintains strict control of the scope.txt file by using the Read-only attribute. |
|
This means that, even though Blue is an Editor in the projects folder, the scope.txt file is off-limits for making any changes. |