Solved

Good Old Permissions issue.

Posted on 2006-06-23
22
168 Views
Last Modified: 2010-04-13
I have an HR folder that I want only HR and Administration Employee's to be able to access and all the Directors to be able to WRITE and READ there own documents.

Inside this HR Folder there is something called E-Documents "Word forums that you can ALT + S (Signs them) and ALT + E will save them to the folder Automatically.  

This is what Directors use for Post_Pos. Authorization, Status Changes on employees, New Employee request ect...

The Directors HAVE TO be able to see the status of the document, such as who has signed and how far it has made it up the heircy.

-----------------------------------------------------------
What I did was went
#1 added the Directors group with list folder contents and write permissions.
#2 Added HR Group with Modify permissions
#3 Added the Creator Owner group as modify permissions.
#4 Added Administration with Modify permissions
Sounds like it works right?
-------------------------------------------------------------

Well on some of the documents when they are signed by say the CFO, CNO or a VP they take ownership of the file.  
That means the director and no longer look at the file.

Could someone explain this please?
I know if I create a file and ask you to add a line to the bottom that says EE is a great place.  You then are not the owner unless you (Take Ownership) which is a option in the permissions menu.   So why is this happening?

Thank you so much for your time!
Klint T.
A+, Network+, Security+, MCSA / MCSE: 2003
0
Comment
Question by:Klint_turney
  • 11
  • 10
22 Comments
 
LVL 1

Expert Comment

by:CSTN
ID: 16973170
When they sign the documents (and thus save) does they become new files? If so, most likely removing the Creator Owner group entirely will clear this up.
0
 
LVL 2

Author Comment

by:Klint_turney
ID: 16983572
How would deleting the Creator owner group give the people that create the file permissions?  I do not think they do become new files I will have to test it today.
0
 
LVL 16

Expert Comment

by:kshays
ID: 16992059
Why not modify the ntfs permissions and remove everyone (this means all groups listed) and then start adding the groups explicitely that you wish to have access to.
Example would be:

administrators:->full control
hr:->read
administration:->read
directors:->read, write

And any sub folders under the main folder just inherit from parent.

0
 
LVL 2

Author Comment

by:Klint_turney
ID: 16992119
Yes but then Directors can still edit and read others documents.  They can't be allowed to do that.
0
 
LVL 16

Expert Comment

by:kshays
ID: 16992415
So you are saying the directors should not be able to read their staff members documents that they create for HR?

Well hmm.  I would probably structure my folders a little different then.

EX:
HR
- Staff
- Directors

Set the ntfs permissions with those groups accordingly.  That's just a simple and easy solution.  I could be wrong but I don't think you can achieve what you are wanting to do with a single folder.  Have you looked at the advanced permissions in the ntfs tab yet?

0
 
LVL 2

Author Comment

by:Klint_turney
ID: 16992677
No, alright,
The staff should not be able to access teh folder at all..
The directors can ONLY read the documents they create.
0
 
LVL 16

Expert Comment

by:kshays
ID: 16992736
I thought you wanted the hr and administration to be able to read though?  Can you provide a folde structure hiearchy so we can get a better feel of what groups you want access and not?

regards,

kshays
0
 
LVL 2

Author Comment

by:Klint_turney
ID: 16992784
Just 1 folder "HR"  
Administration should have full access to ALL folders
HR should have full access to all folders
and Directors should only be able to access tehre files.
0
 
LVL 16

Expert Comment

by:kshays
ID: 16993235
Ok, here is what i've done.  Here are the ntfs permissions.

folder
- administrator:->full control
- authenticated users:->list folder contents, write
- creator owner:->full control

I tested this scenerio out by using the admin account on the server and using an account that was a basic user from another machine to access the folder.  The basic user was able to create files but could not read the other files that were created by the admin account.

Let us know if that works.

0
 
LVL 2

Author Comment

by:Klint_turney
ID: 16993517
please read my questin in full I have already done that.
0
 
LVL 16

Expert Comment

by:kshays
ID: 16993670
You have stated in the first post that the directors have to be able to see the status of the document, but then later you state that they cannot view or edit these documents.  How are they going to see the status of the files if they are not suppose to be able to access the files?  Which one is it?

From what I gave you above which is pretty much what you did to begin with I see no reason why it shouldn't work.  I still don't see why you want the directors to not be able to view the files inside the HR Folder though.  Maybe you should think about restructuring your folders?

Folder Hiearchy:

Directors (directors)
HR ( hr, administration)
HR Status( hr, administration, directors)

In HR Status this is where I guess the directors would check the status on the files.

I'm just trying to get a clear understanding of what you really want here

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 2

Author Comment

by:Klint_turney
ID: 16993708
trying to figure out why when someone edits a file it automaticly takes ownership of the file.
0
 
LVL 16

Expert Comment

by:kshays
ID: 16993782
Ok, I only had that problem on a linux fileserver that I didn't have the privileges to see what was going on.  Have you tried to go into the advanced properties and edit each group and uncheck the "take ownership" box yet?

0
 
LVL 16

Accepted Solution

by:
kshays earned 500 total points
ID: 16993842
I've tried again quite a few times and I am unable to reproduce someone else taking ownership of the file by just editing/saving the file.  Quite puzzling to say the least.

0
 
LVL 2

Author Comment

by:Klint_turney
ID: 16993957
No let me try that, very good idea!
0
 
LVL 16

Expert Comment

by:kshays
ID: 16993977
Ok, man, hopefully that does work :)
0
 
LVL 2

Author Comment

by:Klint_turney
ID: 16994025
I do not see a "take Ownership" in the Security > Advanced
0
 
LVL 16

Expert Comment

by:kshays
ID: 16994036
click on the name of the group and click on "view/edit" then scroll down, should be the last option.
0
 
LVL 2

Author Comment

by:Klint_turney
ID: 16994128
thank you sir
0
 
LVL 16

Expert Comment

by:kshays
ID: 16994147
Anytime, it took a little bit longer to get it resolved than normal, but we did it though :)

Have a good day :)

kshays
0
 
LVL 2

Author Comment

by:Klint_turney
ID: 16995122
thank you sir I am glad you thought of that :)
0
 
LVL 16

Expert Comment

by:kshays
ID: 16995158
No problem :)  and thanks for the points...

kshays
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now