In Centrestack, admin can attach a share on local area network, when Centrestack can access the share directly.
The share can be configured with the setting 'Always access the storage using the logged in user's identity
When the setting is enabled, login Centrestack as AD user and access the team folder. Centrestack will impersonate as the AD user and access the share. Thus the local share NTFS permission applies.
Since the permission is maintained in the file share directly, they are not imported in Centrestack. The team folder's Folder Permission tab is empty.
However, in some scenarios, Centrestack can not impersonate as the AD user. For example, when the AD user logs in via Single Sign On. In Single Sign On, the AD user logs in via the IdP of the SSO directly. It is out of Centrestack. Centrestack can not query the AD user's token, to impersonate as the user. Thus accessing the team folder will hit errors.
A workaround here is to use server agent to sync the share's NTFS permission to Centrestack. This way, when the user accesses the Team Folder, even though Centrestack can not impersonate as the user, the permission on Centrestack applies.
To do do, on the server where the file share is hosted, login web portal as the tenant admin, download the server agent and install it. Login as tenant admin on server agent.
On web portal as tenant admin, edit the team folder. Go to Settings tab. Here, under Permissions, enable 'Synchronize folder permission automatically', and select the server agent from the drop down list. Save the change. Restart Cloud Server Agent Cloud Access Service to pick up the new setting.
Check Team Folder Folder Permissions. See the local NTFS permission synced to the cloud.