https://communities.sas.com/t5/Administration-and-Deployment/Permission-Help/m-p/341741#M7958 This is where you got yourself into trouble.<BR />"I have also changed the corporate permission which was inherited from the Corporate folder to deny RM so only users in the Accounting group can see the accounting folder"<BR />Rather than doing the above "reapply" HIDE PUBLIC and SASUSER ACT to the individual sub folders and grant back only the group that you need.<BR />Golden rule is to deny broadly (SASUSER/PUBLIC) and grant back narrow. When you deny a group other than SASUSER/PUBLIC you end up in Bob's scenario and the "deny" wins because Bob is both a member of Corporate and Accounting.<BR />Take a look at this paper you should find It useful. You broke rule #3 <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> and what you need in your scenario is #4<BR /><A href="http://support.sas.com/resources/papers/proceedings11/376-2011.pdf" target="_blank">http://support.sas.com/resources/papers/proceedings11/376-2011.pdf</A><BR /> Thu, 16 Mar 2017 19:49:19 GMT angian 2017-03-16T19:49:19Z https://communities.sas.com/t5/Administration-and-Deployment/Permission-Help/m-p/341589#M7944 <P>Hello All,</P><P>&nbsp;</P><P>I'm trying to set up a folder structure with permissions assigned and looking for some assistance.&nbsp;</P><P>&nbsp;</P><P>Here is what I have and I don't understand why the permissions are being effective the way they are.</P><P>&nbsp;</P><P>Folder structure is like so:</P><P>&nbsp;</P><P>Corporate</P><P>-Accounting</P><P>-AML</P><P>-etc</P><P>&nbsp;</P><P>I have a HIDE PUBLIC and SASUSER ACT applied &nbsp;to the corporate folder - which only has SASUSER / PUBLIC ReadMetadata set to Deny applied</P><P>&nbsp;</P><P>Next I have a Corporate Group assigned to the Corporate folder with ReadMetadata set to Grant.</P><P>&nbsp;</P><P>Then I have individual groups for Accounting, AML, etc assigned to each of the sub folders of Corporate with RM, WM, WMM, CheckInMetaData, Read as Grant. I have also changed the corporate permission which was inherited from the Corporate folder to deny RM so only users in the Accounting group can see the accounting folder.</P><P>&nbsp;</P><P>My scenario -</P><P>&nbsp;</P><P>User Bob is in the Corporate Group and AML Group. He is able to see the Corporate folder but not the AML folder.</P><P>&nbsp;</P><P>If I change the corporate group to RM on all the subfolder , User Bob is not only able to see the AML folder, but is able to see all the folders.&nbsp;</P><P>&nbsp;</P><P>Please instruct what I am doing wrong and how I can make happen what I'm trying to do.&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>Andrew</P> Thu, 16 Mar 2017 14:15:41 GMT https://communities.sas.com/t5/Administration-and-Deployment/Permission-Help/m-p/341589#M7944 ardobbins 2017-03-16T14:15:41Z https://communities.sas.com/t5/Administration-and-Deployment/Permission-Help/m-p/341741#M7958 This is where you got yourself into trouble.<BR />"I have also changed the corporate permission which was inherited from the Corporate folder to deny RM so only users in the Accounting group can see the accounting folder"<BR />Rather than doing the above "reapply" HIDE PUBLIC and SASUSER ACT to the individual sub folders and grant back only the group that you need.<BR />Golden rule is to deny broadly (SASUSER/PUBLIC) and grant back narrow. When you deny a group other than SASUSER/PUBLIC you end up in Bob's scenario and the "deny" wins because Bob is both a member of Corporate and Accounting.<BR />Take a look at this paper you should find It useful. You broke rule #3 <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> and what you need in your scenario is #4<BR /><A href="http://support.sas.com/resources/papers/proceedings11/376-2011.pdf" target="_blank">http://support.sas.com/resources/papers/proceedings11/376-2011.pdf</A><BR /> Thu, 16 Mar 2017 19:49:19 GMT https://communities.sas.com/t5/Administration-and-Deployment/Permission-Help/m-p/341741#M7958 angian 2017-03-16T19:49:19Z