Tenant admin can publish its own folder as team folder, to allow users in the tenant to access it. The folder can be a pure cloud folder, or a local folder synced to cloud via server agent, or a cloud storage attached to CentreStack.
If the CentreStack server can access local file server shares directly, admin can migrate the share in CentreStack with local file system permissions.
When a folder is published by admin, admin can define Team Folder permissions/subfolder permissions.
1. Team Folder Permission
To publish a folder as team folder, as admin, right click the folder and select 'Manage folder (team folder, permissions, ...)'.
Here, Admin can decide which users can access the Team Folder, under Collaborators tab.
By default, the user has both read/write permission on the team folder.
If admin has enabled 'Show team folder level permissions in team folder publishing dialog' in Web Portal, Group Policy, on Collaborators, admin can define a user to have read permission only, or read/write permission
Read/Write permission in Collaborators:
Read Only: Can only download the files in the team folder. Cannot modify/delete
Read/Write: Have full control on the team folder
Owner: As the owner of the team folder, the user can manage the team folder's permission/subfolder permissions
2. Subfolder Permission
However, some times admin may want to restrict access to the Team Folder and some sub folders. For example, a user can have full access to the Team Folder, but don't want him to modify anything in a subfolder. Or the admin wants to fine tune the access for some folders and only allow one user to have List/Read/Write and don't allow him to delete anything.
Here, admin can define subfolder permission. To access subfolder permission inside of a Team Folder, click on the 'Folder Permission' tab, or just right click the subfolder in My Files and select 'Edit folder Permission'.
In sub folder permission, admin can assign List, Read, Write, Delete and Share permission to the user.
Once defined the permissions, when the user logs in web portal or clients, it will have access to the folder under the team folder, with the permission defined.
Notice: After one user is added in the subfolder permission, only the users explicitly defined in the subfolder permission list can access the subfolder. If another user can access team folder, but not defined in the subfolder permission list, he can't access the sub folder anymore.
Admin can hide folders that user doesn't have read permission. The settings are in the Management Console / Group Policy / Folder and Storage:
- Don't show folder that user doesn't have read permission: When it is checked, under a team folder, if the user doesn't have read permission to a sub folder, the subfolder won't show when the user visits the team folder.
- Don't show Team Folder that the user doesn't have read permission to the underlying folder: If a user doesn't have read permission to the root of a team folder, the team folder won't show when login as the user.
3. File System Permission
Admin can migrate local file share to CentreStack, if the CentreStack server can access the share directly. The migration doesn't need server agent.
When migrate the share directly, the data will not be synced to cloud. When user accesses the folder, CentreStack will access the share and return the file to the user.
During the migration, admin can check 'Always access the storage using logon user identity' flag. Once check, when AD users access the team folder, it will follow the user's own file system permission in the share. Here, the Folder Permission is not defined in CentreStack. It is enforced by the local file system.
When a share is migrated directly this way, Centrestack may cache some permissions, to improve performance. If there is a permission change on the local file system, it may not reflect in Centrestack immediately. In that case, on the Centrestack server, re-cycle the namespace application pool in IIS Manager will help.