Solved

ACL Issue: Can I create a folder that allows users to create but not edit thier own work?

Posted on 2009-07-10
8
496 Views
Last Modified: 2013-12-04
I require a permissions set on a folder for "compliance" that users have the following permissions:

- Users can list and traverse all folders/files in a share
- Users can read/view all files in that share
- Users can contribute (create new documents/folders) to the share
- Users CANNOT edit any document anyone has creates, NOT EVEN THEIR OWN (Read Only)
- Users cannot delete any file or folder

The jist is that once a document is created or moved to this share it cannot be deleted, appended to, moved or edited. If a user would like to add to or edit a document they would have to save it as a new version or at least with a different name (read only).

The permissions have to be inheritable from the root of the share down though any new file or folder.

After playing with a few iterations it seems that the present structure of Windows ACL precludes this, as the ACL permission Create folders / Append data is necessary to create new data but then allows a user to edit it as well. And I do not know a way to ensure that all new data added to the share becomes read only, even to the owner/creator.

Anyone have a solution to the twisted tangle of ACL permissions?

This is the closest I have come:
"      Users can add files
"      Users can see a list of files
"      Users can edit their own files (MY PROBLEM)
"      Users can read anyone's files or documents
"      Users cannot edit anyone's file

With the ACL permissions:
"      Traverse folder / Execute file
"      List folder / Read data
"      Read attributes
"      Read extended attributes
"      Create files / Write data
"      Create folders / Append data
"      Write attributes
"      Write extended attributes
"      Read permissions

But can I prevent them from editing their own files without saving them as something new (read only)?

Seems there must be a way. As I said, this is for compliance (FDA).
Thanks,
-MP
0
Comment
Question by:mojopojo
  • 4
  • 3
8 Comments
 
LVL 20

Expert Comment

by:EndureKona
ID: 24822703
This works for me:

Allow           Apply to: This folder, subfolders, and files
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Create files/ write data
  • Write attributes
  • Read permissions
Deny     Apply to: This folder, subfolders, and files
  • Create folders / append data
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take Ownership
0
 
LVL 6

Expert Comment

by:marce_lito
ID: 24824336
As far as I know, there is no way to do that using only NTFS permissions.  I could be wrong, however.  Despite this, I may have two solutions for your problem:

a) Use shadow copies, where you can have read-only versions of files whenever you need them.  It's a really great feature, a life saver indeed.  The disadvantage with this approach is that it will take snapshots of your files periodically, and not real-time as you would probably want.

b) Use a folder watch program and chown the new files to a different user, so nobody can edit them.  You could write a small CLI program to watch the folders, or you can use a commercial program to trigger a chown on the new files.
0
 
LVL 3

Author Comment

by:mojopojo
ID: 24824548
Yea, I need this "real-time" so solution #1 is out.

EndureKona's solution is nearly viable but users cannot create repository folders to distinguish who added the files, what they are, what client or project they belong to and the like.

I am looking into 3rd party app that would run chown on the root share every time something was added but it feels sloppy. I was hoping I could find a way to do this with NTFS/ACL perms but I think I am up against it.

Anyone want to re-write all of the NTFS ACL protocols?

I'll post if I find a viable solution. Thanks everyone so far. And of course, I welcome additional input.

-MP
0
 
LVL 3

Author Comment

by:mojopojo
ID: 24849183
marce_lito - "b) Use a folder watch program and chown the new files to a different user, so nobody can edit them"

Have you ysed an example of this with any succerss. A lot of what's out there apears tenuous and I am retacent to install it on a production server. I'm building a VM-ware 2k3 box this week. Will be using it for testing some other things too. But still would apreciate any usefull info on packages people have worked with.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 6

Expert Comment

by:marce_lito
ID: 24849628
Actually, I haven't used a commercial program.  I once wrote one in VB (fairly simple), and I called it using the Task Scheduler.  It was not exactly real-time, but it was good enough for me, as I called the program every minute.  I guess you could achieve the same results using VBscript or some other scripting languages.

You could also download cygwin and the use the 'watch' program and a bash script. It's a simple but effective solution, but I don't know if you would like to use cygwin on a production environment.

I've managed to find this project in Sourceforge:
http://sourceforge.net/projects/dirjack/
Haven't tried it, but I tend to trust projects in Sourceforge much more than commercial apps that look kinda funky....
0
 
LVL 6

Expert Comment

by:marce_lito
ID: 24849636
Also, if you feel like programming, take a look at this thread:
http://www.tek-tips.com/viewthread.cfm?qid=953777&page=1
0
 
LVL 6

Accepted Solution

by:
marce_lito earned 500 total points
ID: 24852403
Take a look at this:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/Q_20068852.html?sfQueryTermInfo=1+folder+watch

In particular, look at the link of the accepted solution.  It really seems like it would do what you want to do, but it needs some programming effort.  Alas, I'm not a programmer at all and cannot help you with that.

What I do know, almost for sure, however, is that achieving your original objective using only NTFS permissions is not possible.  I've experimented every way possible, but no luck.

A simpler, but heavier solution could be running a script that chowns the entire folder periodically, but it would impose a heavier burden on the server than just chowning the new files, especially if there are many files.
0
 
LVL 3

Author Closing Comment

by:mojopojo
ID: 31602037
Thanks for the help and folloing this thread. I'm shopping now for an out-of-the-box solution and talkiing to a programmer to posibly contract him to write what I need. Beyond ACL/NTFS is beyond my scope.

Thanks again,
-MP
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now