Solved: Re: Folder Level Permissions

ravicapg · Posted 10-31-2017 06:08 PM

I have two folder structure and two groups.

Folder X contains Apps and Executive_Apps subfolders.

Folder Y contains same like above.

Grus

1)X_Exec_viewer_group

2)Y_Exec_viewer_ group

Folder X and sub folders should be accessible by X_Exec_viewer_group only(Including Apps and Executive folders) .

Folder Y and sub folders should be accessible by Y_Exec_viewer_ group only(Including Apps and Executive folders) .

Current settings are designed based on Denial ACTs on each folder. Which doesn’t look correct.

Group Name X/Executive_Apps | Y/ Executive_Apps

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

X_Exec_viewer_group RM,R | Dined

Y_Exec_viewer_group Denied | RM,R

Means:E. g.: X_Exec_viewer_group is denied access to Exececutive_Apps subfolder in X folder based on ACTs to Y_Exec_viewer_group and vice a versa.

Now of a person is given access to X_Exec_viewer_group and Y _Exec_viewer_groups both. They will not be able to access any of those Folders ie X->Executive_Apps and Y-> Executives_Apps folders because of denial ACTs .

it is fine for individual folder access request. But when we give two groups access to single user we are getting issue means that uset not able to access two folders based on Denial ACT.

Please guide me to set correct settings.

Thanks

jklaverstijn · Posted 11-06-2017 03:55 PM

Thanks for clarifying the problem. You get denials for both folders as these take precedence over the allow's.The explanation for rule 3 mentions this conflict: "Two or more ACTs are applied to the object itself, or to any parent of the object, one granting the user or a group to which the user belongs the permission and one denying it.".

This can be fixed by applying rule 4: deny access to the folders for a higher level implicit group like SASUSERS or even PUBLIC. Than the allows should work. Do not forget to also allow for access by the administrators.

Hope this helps,

- Jan.

View solution in original post

jklaverstijn · Posted 10-31-2017 06:35 PM

I'm not going to solve this for you but I can give you one pointer: abide by the Golden Rules for Security Model Design. In your case I would specifically point out to rule 3 that denials are not the way to allow access. Apply deny rules only at a general level and than allow specific user groups (never users).

Hope this helps,

- Jan.

ronan · Posted 11-02-2017 08:14 AM

Your post is illegible :

_ could you, please, edit the message once again and add some meaningful indentation and/or typo signs into the different lines / tree "branches" ?

Frankly, I am not sure anyone will ever try to decipher your text with this kind of ultra minimal editing...

HTH
Ronan

ravicapg · Posted 11-03-2017 02:05 PM

Thanks for reply ronan. I wrongly posted the my question with rich text format so all text combined and makes not meaningful. So i modified my question with different lines and tree branches. Could you please look now.

jklaverstijn · Posted 11-06-2017 03:55 PM

Thanks for clarifying the problem. You get denials for both folders as these take precedence over the allow's.The explanation for rule 3 mentions this conflict: "Two or more ACTs are applied to the object itself, or to any parent of the object, one granting the user or a group to which the user belongs the permission and one denying it.".

This can be fixed by applying rule 4: deny access to the folders for a higher level implicit group like SASUSERS or even PUBLIC. Than the allows should work. Do not forget to also allow for access by the administrators.

Hope this helps,

- Jan.