Restrict access to parent folder but allow child folder access
-
The only problem you really have is inherited permissions. As you found out you can't effectively use inherit permissions when you don't want everything to inherit the permission. So you need to use explicit permissions in those cases at the top levels.
In a larger company you have many groups and employees belongs to the groups they need and then they might have individual permissions added as needed as well.
I think you just need to give the groups and permissions needed some more thought.
-
@scottalanmiller said in Restrict access to parent folder but allow child folder access:
What we do is we don't use mapped drives / SMB shares but instead use a modern cloud based solution (Zoho WorkDrive in our case, but they are mostly the same) and there aren't child folders only top level folders (that have perms.) It forces you to keep all perms at the top folder level (like at the share level.) Far less granular, but it is a lot cleaner. I feel we are far less likely to overlook something or give permission that we don't know about. Since only folders that someone has access to become visible, it actually works decently well.
In Zoho you can actually set "permissions" on a lower level folder as well. Well, you can't do it by setting actual permissions. But you do it by sharing that lower level folder with whatever group or individual in your company that need access to it.
This would work well in a project organization where you'd only be given access to the projects you're working on. Those folders will appear under the "Shared with Me".
-
@Pete-S said in Restrict access to parent folder but allow child folder access:
This would work well in a project organization where you'd only be given access to the projects you're working on. Those folders will appear under the "Shared with Me".
yeah, all that's definitely true - but the rub there is people access the files differently - so when people are talking to each other, they will often become confused because the locations are different.
-
@Dashrender said in Restrict access to parent folder but allow child folder access:
@Pete-S said in Restrict access to parent folder but allow child folder access:
This would work well in a project organization where you'd only be given access to the projects you're working on. Those folders will appear under the "Shared with Me".
yeah, all that's definitely true - but the rub there is people access the files differently - so when people are talking to each other, they will often become confused because the locations are different.
You're right, but you could do the same sharing for everybody so it's consistent.
But the underlying problem is that normal users can't handle hierarchical file system and having files in different locations.
The file system is the electronic equivalent of an old school filing system.
Imagine a single company wide filing system where everybody themselves was responsible for filing things in the right place. It would result in utter chaos and there would be no order and nobody would find anything. Much like it is today on network shares, sharepoint, onedrive, email attachments, teams, etc.
The only real solution is to remove the file and folder abstraction as much as possible and not let the users be responsible for handling files, saving them, finding them etc.
Basically what @scottalanmiller said above. Avoid "files". Let application handle the information in an organized way where the user are not going to be working with files. Only systems and sysadmins would have to think about "files".
-
@fs483 I think Scott's suggestion to keep all permissions at top level folders is probably best practice.
-
@scottalanmiller said in Restrict access to parent folder but allow child folder access:
At some point permissions and folders are just difficult and there's no way around it. What we do is we don't use mapped drives / SMB shares but instead use a modern cloud based solution (Zoho WorkDrive in our case, but they are mostly the same) and there aren't child folders only top level folders (that have perms.) It forces you to keep all perms at the top folder level (like at the share level.) Far less granular, but it is a lot cleaner. I feel we are far less likely to overlook something or give permission that we don't know about. Since only folders that someone has access to become visible, it actually works decently well.
That and we avoid "Files" as a mechanism in the company. Essentially everything is access to an application with a database behind it. Files are a "mistake" in IT terms, a fallback for a gap in application design, so the general but rarely spoken theory of good IT is to minimize files as a thing people would want. We do this very, very strictly and have only a handful of files left in the company... mostly media files or PDF archives, so this minimizes the problem making it far more manageable.
This is called object storage. There are alot of advantages to object storage vs file storage on both user and administrative level. It's so much easier to use a
, and encourage stricter permissions since sharing is done per object. You can still share folders (a collection of objects).https://www.ibm.com/cloud/learn/object-storage
Here's a good comparison.
https://www.ibm.com/cloud/blog/object-vs-file-vs-block-storage
-
@IRJ said in Restrict access to parent folder but allow child folder access:
@scottalanmiller said in Restrict access to parent folder but allow child folder access:
At some point permissions and folders are just difficult and there's no way around it. What we do is we don't use mapped drives / SMB shares but instead use a modern cloud based solution (Zoho WorkDrive in our case, but they are mostly the same) and there aren't child folders only top level folders (that have perms.) It forces you to keep all perms at the top folder level (like at the share level.) Far less granular, but it is a lot cleaner. I feel we are far less likely to overlook something or give permission that we don't know about. Since only folders that someone has access to become visible, it actually works decently well.
That and we avoid "Files" as a mechanism in the company. Essentially everything is access to an application with a database behind it. Files are a "mistake" in IT terms, a fallback for a gap in application design, so the general but rarely spoken theory of good IT is to minimize files as a thing people would want. We do this very, very strictly and have only a handful of files left in the company... mostly media files or PDF archives, so this minimizes the problem making it far more manageable.
This is called object storage. There are alot of advantages to object storage vs file storage on both user and administrative level. It's so much easier to use a
, and encourage stricter permissions since sharing is done per object. You can still share folders (a collection of objects).https://www.ibm.com/cloud/learn/object-storage
Here's a good comparison.
https://www.ibm.com/cloud/blog/object-vs-file-vs-block-storage
No, we aren't using object storage. That's a different thing. Object storage is important in its own right, but totally different from moving to applications with databases. Databases are different from object storage.
-
@IRJ I agree with Scott. He was not describing object storage. He was describing approach when you try to keep all business data in applications, and avoid keeping business data and records in files (e.g. using excel files to store informations).
@scottalanmiller Problem with "your approach" is that you can do that with business data, but we still have problem where to keep business documents (e.g. scans of paper documents or original electronic documents like signed electronic invoices...).
That is where "object storage" takes its place as a better solution then keeping business documents as files in file system.
-
@Mario-Jakovina said in Restrict access to parent folder but allow child folder access:
@scottalanmiller Problem with "your approach" is that you can do that with business data, but we still have problem where to keep business documents (e.g. scans of paper documents or original electronic documents like signed electronic invoices...).
That is where "object storage" takes its place as a better solution then keeping business documents as files in file system.Yeah, if digital is being used to store images of documents instead of data in documents, the challenge changes. In theory you can still handle those things in that way. We do this for the veterinary industry for example. If we use PDF specifically for that (and many do) we actually get a half-way solution where there is a file, but it's kept in a database and presented through an app. Which one could argue that I just described a file system. So it's a middle ground. But in that case it's not data, only a document so approaching it like image storage can make sense.
-
@scottalanmiller
Thanks for the Info Scott. Will have to look into maybe an alternative. -
@Pete-S said in Restrict access to parent folder but allow child folder access:
Basically what @scottalanmiller said above. Avoid "files". Let application handle the information in an organized way where the user are not going to be working with files. Only systems and sysadmins would have to think about "files".
I love the thought process here - but getting users to give up files is like pulling teeth.
Policies and Proceedures - docx/PDF - could be replaced with Wiki
Phone lists - docx/PDF - could be replaced with wiki - but people demand to print it out for faster access.
reports pulled from ERP - xlsx - what? to a custom app?
new employee paperwork - docx/pdf - HR system -
@scottalanmiller said in Restrict access to parent folder but allow child folder access:
@Mario-Jakovina said in Restrict access to parent folder but allow child folder access:
@scottalanmiller Problem with "your approach" is that you can do that with business data, but we still have problem where to keep business documents (e.g. scans of paper documents or original electronic documents like signed electronic invoices...).
That is where "object storage" takes its place as a better solution then keeping business documents as files in file system.Yeah, if digital is being used to store images of documents instead of data in documents, the challenge changes. In theory you can still handle those things in that way. We do this for the veterinary industry for example. If we use PDF specifically for that (and many do) we actually get a half-way solution where there is a file, but it's kept in a database and presented through an app. Which one could argue that I just described a file system. So it's a middle ground. But in that case it's not data, only a document so approaching it like image storage can make sense.
This is what our EMR does with faxed documents - I'm assuming many ERP and accounting systems do the same.
-
@Dashrender said in Restrict access to parent folder but allow child folder access:
@Pete-S said in Restrict access to parent folder but allow child folder access:
Basically what @scottalanmiller said above. Avoid "files". Let application handle the information in an organized way where the user are not going to be working with files. Only systems and sysadmins would have to think about "files".
I love the thought process here - but getting users to give up files is like pulling teeth.
Policies and Proceedures - docx/PDF - could be replaced with Wiki
Phone lists - docx/PDF - could be replaced with wiki - but people demand to print it out for faster access.
reports pulled from ERP - xlsx - what? to a custom app?
new employee paperwork - docx/pdf - HR systemYeah, that is the problem. It's hard to find applications that can replace manual work. And most importantly, make it easier than it is to do it manually.
For example, phone numbers and lists should be pulled from databases, not wikis. I mean basically everybody today have their smartphones filled with contacts that they use to call someone. And they can't recall a single phone number because they never need to. They're all in a database.
But to automatically get the phone numbers people need into the phones they use (cell, voip, etc) isn't always so easy.
So you'd want a system that contains a database with all contacts in the company and has web access. It can integrate with whatever PBX you use and sync to whatever else phone you need contact info on. Also being able to set up "favorites" and use that info to automatically program shortcuts/BLFs on phones and sidecars for 1-button access. And also print lists of phone numbers if you need it on paper.
Does this system exist? I don't know. I've seen systems that can do bits and pieces of it but lack the overall vision.
But a lot of companies with more than a handful of employees needs something like it. -
@Pete-S said in Restrict access to parent folder but allow child folder access:
@Dashrender said in Restrict access to parent folder but allow child folder access:
@Pete-S said in Restrict access to parent folder but allow child folder access:
Basically what @scottalanmiller said above. Avoid "files". Let application handle the information in an organized way where the user are not going to be working with files. Only systems and sysadmins would have to think about "files".
I love the thought process here - but getting users to give up files is like pulling teeth.
Policies and Proceedures - docx/PDF - could be replaced with Wiki
Phone lists - docx/PDF - could be replaced with wiki - but people demand to print it out for faster access.
reports pulled from ERP - xlsx - what? to a custom app?
new employee paperwork - docx/pdf - HR systemYeah, that is the problem. It's hard to find applications that can replace manual work. And most importantly, make it easier than it is to do it manually.
For example, phone numbers and lists should be pulled from databases, not wikis. I mean basically everybody today have their smartphones filled with contacts that they use to call someone. And they can't recall a single phone number because they never need to. They're all in a database.
But to automatically get the phone numbers people need into the phones they use (cell, voip, etc) isn't always so easy.
So you'd want a system that contains a database with all contacts in the company and has web access. It can integrate with whatever PBX you use and sync to whatever else phone you need contact info on. Also being able to set up "favorites" and use that info to automatically program shortcuts/BLFs on phones and sidecars for 1-button access. And also print lists of phone numbers if you need it on paper.
Does this system exist? I don't know. I've seen systems that can do bits and pieces of it but lack the overall vision.
But a lot of companies with more than a handful of employees needs something like it.the cost of adding sidecars to everyphone is beyond the value. that leaves people having to go through the phonebook on the screen - and that takes about 20 clicks - no way in hell they would do that.. they will demand their paper list on the desk.
now, that said - having a process that pulls the extensions and drops them in a printable format - that might be worthwhile, as long as the maintenance when extensions change isn't that challenging.
It's not just a list of all extensions, it's broken out into areas and departments, etc.
-
@Dashrender said in Restrict access to parent folder but allow child folder access:
It's not just a list of all extensions, it's broken out into areas and departments, etc.
Yes, I imagine that would be the case for most companies.
The thing is that it would be helpful to have a system to manage it. Different companies, departments, persons or function will have different needs but a good system should be able to accommodate most of those needs with a minimal amount of work.
Integration between different system is what is need to avoid doing the same work in multiple places. The whole point of having things in a system instead of manually doing it, is to save time and provide organization and when possible automation.
I don't see a problem replacing files with better system on the technical level. But actually finding system that can get the job done without going with bespoke solutions can be tough. And bespoke software isn't cost effective in a lot of cases.
-
@Pete-S said in Restrict access to parent folder but allow child folder access:
@Dashrender said in Restrict access to parent folder but allow child folder access:
It's not just a list of all extensions, it's broken out into areas and departments, etc.
Yes, I imagine that would be the case for most companies.
The thing is that it would be helpful to have a system to manage it. Different companies, departments, persons or function will have different needs but a good system should be able to accommodate most of those needs with a minimal amount of work.
Integration between different system is what is need to avoid doing the same work in multiple places. The whole point of having things in a system instead of manually doing it, is to save time and provide organization and when possible automation.
I don't see a problem replacing files with better system on the technical level. But actually finding system that can get the job done without going with bespoke solutions can be tough. And bespoke software isn't cost effective in a lot of cases.
I think a paper copy only works until you're more than a page. We're still at a single page.
-
@Dashrender said in Restrict access to parent folder but allow child folder access:
@Pete-S said in Restrict access to parent folder but allow child folder access:
@Dashrender said in Restrict access to parent folder but allow child folder access:
It's not just a list of all extensions, it's broken out into areas and departments, etc.
Yes, I imagine that would be the case for most companies.
The thing is that it would be helpful to have a system to manage it. Different companies, departments, persons or function will have different needs but a good system should be able to accommodate most of those needs with a minimal amount of work.
Integration between different system is what is need to avoid doing the same work in multiple places. The whole point of having things in a system instead of manually doing it, is to save time and provide organization and when possible automation.
I don't see a problem replacing files with better system on the technical level. But actually finding system that can get the job done without going with bespoke solutions can be tough. And bespoke software isn't cost effective in a lot of cases.
I think a paper copy only works until you're more than a page. We're still at a single page.
I think you can keep it going for quite some time - if you wanted to.
A long time ago I worked at a company that printed their own little phone book with all the internal extensions and numbers. It had maybe 30 pages or so.