If you are having issues with permissions on Team Folders, this article may help you to understand how permissions work in CentreStack, and may help you to diagnose some problems.
Team Folders are folders that allow the users under a Tenant to collaborate on files or documents. A Tenant is a simply an organizational unit within CentreStack that can be used to represent a Company or a Group of users.
Users in CentreStack can be created from scratch using CentreStack's web portal. Such users are referred to as Native Users. Users can also be imported from Active Directory and are referred to as AD Users (if the Active Directory is local) or Proxy AD Users (if the Active Directory resides outside of the domain). For simplification, both imported Active Directory users or Proxied AD users are referred to as AD users in the flowchart below.
CentreStack goes through several access checks before granting a user access to a Team Folder. This process varies depending on your particular server setup, type of storage, etc. The Collaborators is a simple check for access or no access. Thus, if the Collaborators tab is empty, nobody except the folder creator will be able to access the folder.
The CentreStack components themselves use the LOCAL SYSTEM (or simply SYSTEM) identity to access attached or migrated folder locations. Therefore, please make sure that the SYSTEM entity has full-permissions on any folder source.
Read, Write, List, Update, and Share permissions are defined under the Team Folder's Folder Permissions tab. Unlike the Collaborators tab, if this tab is empty, all the Collaborators will be given full-access. However, if you define at least one entity here (users, groups, or organizational units), then the permissions will become exclusive in nature. In other words, only the entities present in the Folder Permissions tab will have access to the folder.
If an entity is included indirectly on the Collaborators and Folder Permissions via a group or organizational unit, it is also possible to explicitly assign a Deny permission to the entity. To do so, simply click on the green plus sign in front of the entity name to turn it into a red minus sign.
Since the Collaborators access check happens before the Folder Permissions check, you need to ensure that the entities defined under the Folder Permissions are defined either directly or indirectly (through a group or organizational unit) as a Collaborator first.
This flowchart may help you to understand how the process works and to diagnose/troubleshoot access problems related to permissions on Team Folders. Click on the image to enlarge it in a new browser window.
There are 3 main ways of importing content into the CentreStack cloud for Team Folder collaboration. Below are the 3 main options with a description of how permissions work with each method.
- Migrate a Windows Share (aka CIFS (Common Internet File System) share)
This option allows you to create a two-way sync for the files and folders in a local folder that has been shared on the file server. NTFS permissions will be imported from the file server into CentreStack with this option. Windows Share permissions will be imported into CentreStack Collaborators, and Windows Security Permissions will be imported into CentreStack's Folder Permissions. Any users defined in the folder Share/Security permissions will also be imported into CentreStack if they are not already present and will consume a standard CentreStack user license. This option is available from a server agent's web management console, or from the Tenant Dashboard's create Team Folder wizard (Remote File Servers option).
During the process of share migration you will have the option to decide whether to maintain permissions via Direct Access, or via Two-Way Sync. Direct access, allows you to define the credentials of one user who should be used for impersonation (for accounts without NTFS permissions), and then have the option to have the rest of the users permissions checked during access time. This option will only be displayed if CentreStack is local (i.e. in the same domain) to the file server. The Two-Way Sync option allows you to automatically import the NTFS permissions from the file server to CentreStack. After the initial import, if you change the Folder Permissions in CentreStack, these permissions will be overridden the next time they are synced (either automatically by the server agent, or manually via the Team Folders dashboard).
- Attach a folder from the Server Agent, the Windows Client, or CentreStack server's Tenant Dashboard's Create Team Folder wizard.
This option allows you to create a two-way sync for the files and folders in a local folder on the file server. NTFS permissions will not be imported into CentreStack with this option. You will have to set up the permissions manually in CentreStack, or perform a manual "sync share permissions" from the Team Folders dashboard.
- Drag-and-drop files or folders directly into CentreStack's File Browser, or Cloud Drive
This option will create a copy of the files/folders on the cloud. No link will be maintained between the local source and the cloud copies. All permissions will be completely handled by CentreStack.
If you have any questions, please don't hesitate to contact firstname.lastname@example.org.