Tenant Administrators can publish their own folders as Team Folders to allow multiple users to collaborate on the same content. Once a folder has been converted into a Team Folder, you will have to manage its permissions. Depending on where the content is stored, you can manage content permissions in CentreStack only, or in CentreStack and NTFS.
Tenant Administrators can create new Team Folders from the Tenant Dashboard or the File Browser on the web portal. On the Tenant Dashboard, there is a prominent button to Create New Team Folders under the Team Folders section.
On the File Browser, you can access the publishing wizard by right-clicking on a folder and selecting the Manage Folder option. As soon as you add at one or more Collaborators to any folder, it becomes a Team Folder.
Generally, there are up to 3 access checks that are performed in succession when a user tries to access a Team Folder via the Web Portal, Desktop Client, or Mobile Client. These checks are: the Collaborators, the Folder Permissions, and optionally, the file system permissions.
The default Collaborators access-check can be thought of as a simple binary check of access vs no access.
If you would like additional complexity to manage the Collaborators permissions with separate read, write, and owner properties, you can enable the "show team folder level permissions on Team Folder publishing dialog" setting from the Group Policy->Client Control->Web Portal page.
Without taking into any other Folder Permissions or file system permissions checks, the Collaborators:
- read-only access, a Collaborator can only download the files from the Team Folder.
- read and write access, a Collaborator has full-control of the Team Folder
- owner access, a Collaborator can manage the Team Folder and modify the permissions and other folder settings.
After the user has passed the Collaborators access check, the system then looks for any entities under the Folder Permissions page of the Team Folder. If there are no entities specified, all Collaborators will be granted access.
If one or more entities are defined under the Folder Permissions page, then ONLY those entities will be allowed to access it.
For each entity that you add under the Folder Permissions, you can grant or deny list, read, write, share, and delete privileges. You can also deny an entity by clicking on its green plus-sign to convert it to a red minus-sign. Deny permissions override all other permissions.
There are times when the Tenant Administrator may want to maintain different Folder Permissions for the sub-folders within a Team Folder.
To edit the Folder Permissions for any sub-folder, manage the parent folder and then select the sub-folder from the small drop-down menu next to the current folder name on the Folder Permissions page. Alternatively, you can navigate to the sub-folder on the File Browser, right-click on the folder, select the Manage Folder option, and then open the Folder Permissions tab.
Update Child Folder Permission
When update folder permissions, there are some options to update Child Folder Permissions.
Replace with new permission: Replace child folder permission with the current folder permission
Replace if no permission defined: Replace child folder permission with the current folder permission only when the child doesn't have permission defined explicitly. If the client has permission defined, do not change it.
Keep Existing Permission: Do not change any child folder permission. The change for current folder is for the folder only. All child folder remains their original folder permission before the change.
Tenant Administrators may want to hide content from the users who don't have access to them. The settings to accomplish this are located under the Tenant Dashboard->Group Policy->Folder and Storage page:
- "Don't show folder that user doesn't have read permission": Effectively hides sub-folders from users without at least read permission to the sub-folders.
- "Don't show Team Folder that the user doesn't have read permission to the underlying folder": Effectively hides Team Folders from users without at least read permission to the Team Folders.
FILE SYSTEM PERMISSIONS
Tenant Administrators can migrate local file shares (aka CIFS Shares) to CentreStack. If the CentreStack server is on the same domain as the file server, the migration process does not need the Server Agent component.
When migrating shares directly, the data will be kept in its original location on the file server (aka attached) and will not be replicated on the CentreStack back-end storage. When a user accesses a Team Folder, the system performs the Collaborators and Folder Permissions checks described above, and then checks the NTFS permissions on the original folder directly in the file system. CentreStack itself uses the local system account in order to access the underlying content, so full-permissions must be given to at least the SYSTEM entity on any attached folders, as well as back-end storage.
A setting called "always access the storage using logon user identity" is available from the Team Folder's Storage. If enabled, this setting allows CentreStack to impersonate imported Active Directory users so that a real-time NTFS permissions-check can happen when such users access a Team Folder from the File Browser or native device (Windows Client, Mac Client, Mobile Client).
CentreStack optimizes performance at the end-points by caching some of the NTFS permissions in its memory. Therefore, changes in NTFS permissions may not seem to apply immediately to CentreStack. If you change NTFS permissions and want the changes to be applied immediately, please recycle the "namespace" Application Pool in IIS Manager (Internet Information Services) on the CentreStack server.