Logo 
Search:

MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

Folder Permissions vs. Library Permissions

  Asked By: Ariel    Date: Apr 23    Category: MOSS    Views: 7295

The following tale has to do with the hidden relationships between library
permissions and folder permissions in SharePoint 2007 (we're running MOSS,
but this is probably also true for WSS). I think you might want to know
that breaking a folder's inheritance of permissions from its parent library
does not mean that the effective permissions for a given user on that folder
are independent of their permissions on the library.

We are setting up a site where 60-70 departments of our university will be
working on self-studies leading up to an evaluation by our accrediting
organization. The self-studies result in a document based on a specific
Word template, and a folder of "exhibits" (documents of all kinds). We are
supporting SharePoint as a collaboration space for preparing and reviewing
these self-studies.

Each department wants only its people to have access to their folder during
the preparation phase of the project. So our general scheme is to have a
"Self-Studies" library, with each department's people having "Contribute"
permissions on their folder, and no permissions on any other. It seems
sensible and easy, but...

We set up a "Self-Studies" library with a "Starter" folder. We make a copy
of this folder for each department when they are ready to begin work and
rename it with the department's name. The new folder inherits its parent's
(the library's) permissions; there is not option to avoid inheritance. So
we break the inheritance and add the specific department's users to the
folder with "Contribute" permissions. When the users are added to the
folder's permissions, they are also automatically added to the library with
"Limited Access", presumably so they can access the .aspx pages.

We quickly discovered that users could not upload documents to their folder,
even though they had "Contribute" permissions, if they did not also have at
least "Read" permissions on the library above; they were denied access to
the Upload.aspx page. "Limited Access" didn't cut it.

Since we had a "Participants" group that includes everybody, we gave that
group "Read" permission on the library. This permitted users with
"Contribute" permissions on a folder to access Upload.aspx and to upload.
However, when we add "Contributors" to the folder, they get still get
individual "Limited access" to the library, even though they already have
"Read" access via their membership in the "Participants" group.

Further, when a new folder is created, it automatically inherits permissions
from the library (no option), including the "Limited Access" for all the
users who have "contribute" permissions on any other folder. The "limited
access" users can see the new folder, even though they can't access it.
This defeats the purpose of security-trimming.

The obvious solution is to create the folder, add the users to the folder
with "Contribute", then delete their "limited access" to the library.
However, deleting the "limited access" at the library level removes the user
entirely from the folder level (silently).

What we are doing now is to remove each user with "limited access" from each
new folder we create. The list gets longer and longer as we add new folders
and give "Contribute" permissions to users (and consequent "limited access"
to all subsequently-created folders). So the removal is unpleasant donkey
work, and it's error-prone, but it's what we have.

Perhaps this exposition will save somebody else the hours of testing we did
to come to these conclusions -- and help other plan better for their
applications.

Share: 

 

2 Answers Found

 
Answer #1    Answered By: Robert Wilson     Answered On: Apr 23

Your findings make sense. Folders are 'views', not 'containers'. You can
accomplish almost the same thing as folders with custom site columns and
views.

 
Answer #2    Answered By: Chase Wagner     Answered On: Apr 23

That perspective is helpful in some ways, but mystifying in
others (especially to the naïve user, whose experience is likely limited to
desktop file systems). folder  sometimes act like containers (e.g., files
and folders can inherit permissions  from their parent folders).

Views don't appear to have permissions at all (perhaps unfortunately), so
you can't accomplish any of what we're trying to do with permissions that
way.

Also, it just doesn't make sense that you should need "Read" access to a
library in order to upload to a folder for which you have "contribute"
permissions. Either "limited access" should work, or you should need
"contribute" permissions on the library.

And I don't understand why it's advantageous to propagate "limited access"
from the parent to new children, when the "limited access" to the parent was
granted to provide higher-level privileges to a different child of the
parent.

In both cases, I suspect the use cases weren't thought all the way through.

 
Didn't find what you were looking for? Find more on Folder Permissions vs. Library Permissions Or get search suggestion and latest updates.




Tagged: