There are many ways to set up and manage your folder permissions in CentreStack. But, while there isn't necessarily a right or wrong way of managing the Collaborators and Folder Permissions, the method that you choose will greatly affect the amount of folder management and maintenance for your organization.
With Windows permissions, network administrators usually like to leave shares open and then tighten the security with granular NTFS permissions on the Security tab. Using this as an analogy, here is how you can manage the permissions in CentreStack:
1-Use the Collaborators page as you would use the Microsoft Windows Sharing permissions window.
The Collaborators tab from the Team Folder management page can be compared to the Share permissions window in Microsoft Windows. Therefore, the recommendation is to simply grant read-write control to "everyone," "all AD users," or any custom group that involves a predefined set of users.
2-Use the Folder Permissions page as you would use the Microsoft Windows Security window.
The Folder Permissions page from the Team Folder management page can be compared to the Security tab from the Microsoft Windows folder properties page. The simplest set up possible is to not have any Folder Permissions at all so that all entities defined by the Collaborators will simply have full-control to the folder. However, if you need granular control with separate permissions for list, read, write, delete, share, and deny, then you can do this from the Folder Permissions page.
Once one or more entities have been added to the Folder Permissions, ONLY those entities will be granted access. For example, if the Collaborators page contains the "All AD Users" (All Active Directory Users) built-in group, but the Folder Permissions contains a single AD user, then only the specified AD user will be allowed into the folder. If you specify any non-AD users here, they will be denied access at the Collaborators level.
3-Use Groups whenever possible.
You can create your own groups in CentreStack, or import groups from Active Directory. Groups can be used to organize the users into departments. Once you have your groups assigned to either the Collaborators and/or Folder Permissions of your Team Folders, then you could simply add or remove users to the groups in order to grant or deny access to many folders at once without physically having to edit the permissions for each folder and sub-folder.
4-Convert deeply nested sub-folders within team folders to root team folders from the Tenant Dashboard.
When you convert a sub-folder to a Team Folder, it becomes a root level folder for the users who can access it. This facilitates folder management and is also easier to navigate for the end-user whether they are using the web portal or a native device, such as the Windows Client.
5-Use Deny Folder Permissions in conjunction with Groups.
When you click on the green plus-sign next to an entity on the Folder Permissions page, you turn the grant permission into a deny. Deny always overrides grant. This allows you to have some interesting setups, such as adding a group with a green plus sign (grant), and then adding one of the users from the group with a red minus sign (deny). In other words, grant access to everyone from the group, except one of the users.
If you deny an entity, the checkboxes become deny attributes. For example: a negative sign in front of Bob Doe with all attributes unchecked is equivalent to the rule not being there at all (i.e. Bob Doe won't be any denied rights). Furthermore, a negative sign in front of Bob Doe with only Write and Delete checked off means that Bob will be denied only Write and Delete rights, but will still be able to List, Read and Share.