chealey
asked on
Access Based Enumeration (ABE) and down folder permissions
Scenario:
You have Windows 2003 with SP1 for server01. It has share1 with Access
Based Enumeration enabled. You have setup four departments with a
folder per department on the share and members of each department can
see their department's folder and work within that folder.
\\Server01\Share1
\Human Resources
Access granted to: Theresa and Deb
\Information Technology
Access granted to: Jeff and Andy
\Marketing
Access granted to: Mark
\Sales
Access granted to: Kim and Carolyn
Problem:
The Sales department is working on a new project that will require
Marketing's assistance. The Sales department has a folder in their
folder named "Projects".
\\Server01\Share1\Sales\Pr
They would like to create a folder named "2006 Campaign" and grant
Mark in Marketing access to use that folder.
\\Server01\Share1\Sales\Pr
Ideally you would like it so once they add the permissions the Sales
folder appears to Mark. Then Mark would be able to open the Sales
folder and only see the Projects folder. Inside that he would only see
the "2006 Campaign" folder. Can and how would this be achieved?
I have discovered a partial solution. If at the top level (either
share or each folder under the share) you add the "Everybody" or
"Domain Users" group and grant the "List Folder Contents"
option and then force that down it almost works. The users are then
able to see the files that they were granted access to. The problem is
they see all folders and the tree structure. In the scenario above
they would see every folder in every directory, whether they have
access to a file in that folder or not. I would like to "hide"
anything they have not been granted access to. So until Kim granted
Mark access to the "2006 Campaign" folder he would not have even
seen the Sales folder. Additionally, once she removed his access, the
Sales folder would disappear.
With Access Based Enumeration I would imagine this would be possible
You have Windows 2003 with SP1 for server01. It has share1 with Access
Based Enumeration enabled. You have setup four departments with a
folder per department on the share and members of each department can
see their department's folder and work within that folder.
\\Server01\Share1
\Human Resources
Access granted to: Theresa and Deb
\Information Technology
Access granted to: Jeff and Andy
\Marketing
Access granted to: Mark
\Sales
Access granted to: Kim and Carolyn
Problem:
The Sales department is working on a new project that will require
Marketing's assistance. The Sales department has a folder in their
folder named "Projects".
\\Server01\Share1\Sales\Pr
They would like to create a folder named "2006 Campaign" and grant
Mark in Marketing access to use that folder.
\\Server01\Share1\Sales\Pr
Ideally you would like it so once they add the permissions the Sales
folder appears to Mark. Then Mark would be able to open the Sales
folder and only see the Projects folder. Inside that he would only see
the "2006 Campaign" folder. Can and how would this be achieved?
I have discovered a partial solution. If at the top level (either
share or each folder under the share) you add the "Everybody" or
"Domain Users" group and grant the "List Folder Contents"
option and then force that down it almost works. The users are then
able to see the files that they were granted access to. The problem is
they see all folders and the tree structure. In the scenario above
they would see every folder in every directory, whether they have
access to a file in that folder or not. I would like to "hide"
anything they have not been granted access to. So until Kim granted
Mark access to the "2006 Campaign" folder he would not have even
seen the Sales folder. Additionally, once she removed his access, the
Sales folder would disappear.
With Access Based Enumeration I would imagine this would be possible
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agreed, complex folder structures can be a PITA.
Access-based enumeration is (unfortunately) strictly about showing what you have access to - it still doesn't solve the reverse inheritance issue.
Guess that won't be until NTFS version 6 or whatever Microsoft's cooking up.
It took them... uh... 8 years since NTFS4 to build something like ABE. Novell's had this feature since the dawn of mankind.
Access-based enumeration is (unfortunately) strictly about showing what you have access to - it still doesn't solve the reverse inheritance issue.
Guess that won't be until NTFS version 6 or whatever Microsoft's cooking up.
It took them... uh... 8 years since NTFS4 to build something like ABE. Novell's had this feature since the dawn of mankind.
Novell's had this feature because of a distributed directory across the servers. It was too "hardware intensive" to get it to work in Windows land before because of the fact that Windows uses centralized domain controllers.
Thanks for the points!
ASKER
In NetWare let's say that there was a Departmental Share folder on Vol1 - this is where we would map root the S: drive to. In that folder we would have our departments listed as folders and have like named groups assigned to have access to those folders. Now a memebr of the Sales group opens thier S: Drive and only sees the Sales folder. Should that person later be given access to a file in Marketing - let say it is a few levels down - vol1\Departmental Share\marketing\2006\april
That same scenario above now with Microsoft and Access Based Enumeration the user would see all the departmental folders and when he opens the Marketing folder he will see the entire folder structure of Marketing but no files nor will he have access to the folders i.e. 2005, 2004, clients, etc. When he opens S:\marketing\2006\ he will see January, February, and March and if he was to try to open those he would be denied access. Any files that would be there are still hidden but then when he opens April's folder he will see all folders there such as small widget, big widget, old widget, etc. NetWare would only show you what you need to see to get to the objects that you have access to with nothing needed done access-wise to parent folders - a reverse inheritance if you will.
To get here we had to add List Folder Contents to the Everyone object (actually we left that and removed the Read & Read and Execute Permissions) - otherwise the default would also show files but would deny access. If we remove the everyone object then the user would not see anything unless they were explicitly given access to the department folder even though they were assigend full acces to a folder below (say the new widget folder in the NetWare example) - there does not seem to be that 'reverse inhertance' logic with Access Based Enumeration - or I am thinking too NetWare-like still?
We are quite large and expect that there are going to be MANY files and folders but would like to limit the scope of what is seen to the people outside the department. It is good that it is secure but to some it would be overwelmingly confusing to see that many objects.