How Does Permission Work Within Team Folders?

Tenant Administrators can publish their own folders as Team Folders to allow multiple users to collaborate on the same content. Once a folder has been converted into a Team Folder, you will have to manage its permissions. Depending on where the content is stored, you can manage content permissions in CentreStack only, or in CentreStack and NTFS.

TEAM FOLDERS

Tenant Administrators can create new Team Folders from the Tenant Dashboard or the File Browser on the web portal. On the Tenant Dashboard, there is a prominent button to Create New Team Folders under the Team Folders section.

On the File Browser, you can access the publishing wizard by right-clicking on a folder and selecting the Manage Folder option. As soon as you add at one or more Collaborators to any folder, it becomes a Team Folder.

Generally, there are up to 3 access checks that are performed in succession when a user tries to access a Team Folder via the Web Portal, Desktop Client, or Mobile Client. These checks are: the Collaborators, the Folder Permissions, and optionally, the file system permissions.

COLLABORATORS

The default Collaborators access-check can be thought of as a simple binary check of access vs no access.

If you would like additional complexity to manage the Collaborators permissions with separate read, write, and owner properties, you can enable the "show team folder level permissions on Team Folder publishing dialog" setting from the Settings ->Clients & Applications->Web Portal page.

Without taking into any other Folder Permissions or file system permissions checks, the Collaborators:

• read-only access, a Collaborator can only download the files from the Team Folder.
• read and write access, a Collaborator has full-control of the Team Folder
• owner access, a Collaborator can manage the Team Folder and modify the permissions and other folder settings.

FOLDER PERMISSIONS

After the user has passed the Collaborators access check, the system then looks for any entities under the Folder Permissions page of the Team Folder. If there are no entities specified, all Collaborators will be granted access.

If one or more entities are defined under the Folder Permissions page, then ONLY those entities will be allowed to access it.

For each entity that you add under the Folder Permissions, you can grant or deny list, read, write, share, and delete privileges. You can also deny an entity by clicking on its green plus-sign to convert it to a red minus-sign. Deny permissions override all other permissions.

Sub-folder Permissions

There are times when the Tenant Administrator may want to maintain different Folder Permissions for the sub-folders within a Team Folder.

To edit the Folder Permissions for any sub-folder, manage the parent folder and then select the sub-folder from the small drop-down menu next to the current folder name on the Folder Permissions page. Alternatively, you can navigate to the sub-folder on the File Browser, right-click on the folder, select the Manage Folder option, and then open the Folder Permissions tab.

Update Child Folder Permission

When update folder permissions, there are some options to define how the permission is inherited in child folder.

• Inherited from parent: The permission is not defined on the current folder. It is inherited from parent folder. To updating the permission on current folder, have to go to parent folder, or grand parent folder, where the permission is defined, to change it there. Or change the inheritance of the permission on the parent folder, to allow subfolder to stop inheriting from parent.
• Subfolders without permission: All subfolders will inherit the permission, when there is no explicit permission defined.
• This folder only: The permission only applies to the current folder. It will not apply to any subfolders.
• This folder and subfolders: The permission applies to the current folder, and all subfolders.
• Subfolders: All subfolders will inherit the permission, no matter whether any permission is defined on the subfolder.

Folder Visibility

Tenant Administrators may want to hide content from the users who don't have access to them. The settings to accomplish this are located under the Settings->Folder & Storage ->Folder and Storage page:

• "Don't show folder that user doesn't have read permission": Effectively hides sub-folders from users without at least read permission to the sub-folders.
• "Don't show Team Folder that the user doesn't have read permission to the underlying folder": Effectively hides Team Folders from users without at least read permission to the Team Folders.

FILE SYSTEM PERMISSIONS

Tenant Administrators can migrate local file shares (aka CIFS Shares) to CentreStack. If the CentreStack server can access the file share directly, can migrate the file share without Server Agent.

When migrating shares directly, the data will be kept in its original location on the file server (aka attached) and will not be replicated on the CentreStack back-end storage. When a user accesses a Team Folder, the system performs the Collaborators and Folder Permissions checks described above, and then checks the NTFS permissions on the original folder directly in the file system. CentreStack itself uses a local account to access the underlying content. It is preferred to give full-permissions for the local account used in the team folder configuration.

To attach a share directly as team folder, when creating a new team folder, select 'File Servers in Local Area Network'. It lists servers in LAN. Can drill down the server to select the share. 
Admin can also select Manual Configuration, to setup the Team Folder via UNC path directly.

The team folder setup wizard prompts a User Name/Password to access the share. Here, User Name is the local windows id (not Centrestack user). And there is a setting called "always access the storage using logon user identity". If enabled, this setting allows CentreStack to impersonate imported Active Directory users so that a real-time NTFS permissions-check can happen when such users access a Team Folder from the File Browser or native device (Windows Client, Mac Client, Mobile Client).

After the team folder is created, editing it from Team Folders. The Storage tab shows the UNC path. Click Edit on Storage Setting will show the detailed User Name/Settings configured.

CentreStack optimizes performance at the end-points by caching some of the NTFS permissions in its memory. Therefore, changes in NTFS permissions may not seem to apply immediately to CentreStack. If you change NTFS permissions and want the changes to be applied immediately, please recycle the "namespace" Application Pool in IIS Manager (Internet Information Services) on the CentreStack server.