ACL Issue: Can I create a folder that allows users to create but not edit thier own work?

I require a permissions set on a folder for "compliance" that users have the following permissions:

- Users can list and traverse all folders/files in a share
- Users can read/view all files in that share
- Users can contribute (create new documents/folders) to the share
- Users CANNOT edit any document anyone has creates, NOT EVEN THEIR OWN (Read Only)
- Users cannot delete any file or folder

The jist is that once a document is created or moved to this share it cannot be deleted, appended to, moved or edited. If a user would like to add to or edit a document they would have to save it as a new version or at least with a different name (read only).

The permissions have to be inheritable from the root of the share down though any new file or folder.

After playing with a few iterations it seems that the present structure of Windows ACL precludes this, as the ACL permission Create folders / Append data is necessary to create new data but then allows a user to edit it as well. And I do not know a way to ensure that all new data added to the share becomes read only, even to the owner/creator.

Anyone have a solution to the twisted tangle of ACL permissions?

This is the closest I have come:
"      Users can add files
"      Users can see a list of files
"      Users can edit their own files (MY PROBLEM)
"      Users can read anyone's files or documents
"      Users cannot edit anyone's file

With the ACL permissions:
"      Traverse folder / Execute file
"      List folder / Read data
"      Read attributes
"      Read extended attributes
"      Create files / Write data
"      Create folders / Append data
"      Write attributes
"      Write extended attributes
"      Read permissions

But can I prevent them from editing their own files without saving them as something new (read only)?

Seems there must be a way. As I said, this is for compliance (FDA).
Thanks,
-MP
LVL 3
mojopojoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
This works for me:

Allow           Apply to: This folder, subfolders, and files
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Create files/ write data
  • Write attributes
  • Read permissions
Deny     Apply to: This folder, subfolders, and files
  • Create folders / append data
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take Ownership
0
marce_litoCommented:
As far as I know, there is no way to do that using only NTFS permissions.  I could be wrong, however.  Despite this, I may have two solutions for your problem:

a) Use shadow copies, where you can have read-only versions of files whenever you need them.  It's a really great feature, a life saver indeed.  The disadvantage with this approach is that it will take snapshots of your files periodically, and not real-time as you would probably want.

b) Use a folder watch program and chown the new files to a different user, so nobody can edit them.  You could write a small CLI program to watch the folders, or you can use a commercial program to trigger a chown on the new files.
0
mojopojoAuthor Commented:
Yea, I need this "real-time" so solution #1 is out.

EndureKona's solution is nearly viable but users cannot create repository folders to distinguish who added the files, what they are, what client or project they belong to and the like.

I am looking into 3rd party app that would run chown on the root share every time something was added but it feels sloppy. I was hoping I could find a way to do this with NTFS/ACL perms but I think I am up against it.

Anyone want to re-write all of the NTFS ACL protocols?

I'll post if I find a viable solution. Thanks everyone so far. And of course, I welcome additional input.

-MP
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

mojopojoAuthor Commented:
marce_lito - "b) Use a folder watch program and chown the new files to a different user, so nobody can edit them"

Have you ysed an example of this with any succerss. A lot of what's out there apears tenuous and I am retacent to install it on a production server. I'm building a VM-ware 2k3 box this week. Will be using it for testing some other things too. But still would apreciate any usefull info on packages people have worked with.
0
marce_litoCommented:
Actually, I haven't used a commercial program.  I once wrote one in VB (fairly simple), and I called it using the Task Scheduler.  It was not exactly real-time, but it was good enough for me, as I called the program every minute.  I guess you could achieve the same results using VBscript or some other scripting languages.

You could also download cygwin and the use the 'watch' program and a bash script. It's a simple but effective solution, but I don't know if you would like to use cygwin on a production environment.

I've managed to find this project in Sourceforge:
http://sourceforge.net/projects/dirjack/
Haven't tried it, but I tend to trust projects in Sourceforge much more than commercial apps that look kinda funky....
0
marce_litoCommented:
Also, if you feel like programming, take a look at this thread:
http://www.tek-tips.com/viewthread.cfm?qid=953777&page=1
0
marce_litoCommented:
Take a look at this:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/Q_20068852.html?sfQueryTermInfo=1+folder+watch

In particular, look at the link of the accepted solution.  It really seems like it would do what you want to do, but it needs some programming effort.  Alas, I'm not a programmer at all and cannot help you with that.

What I do know, almost for sure, however, is that achieving your original objective using only NTFS permissions is not possible.  I've experimented every way possible, but no luck.

A simpler, but heavier solution could be running a script that chowns the entire folder periodically, but it would impose a heavier burden on the server than just chowning the new files, especially if there are many files.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mojopojoAuthor Commented:
Thanks for the help and folloing this thread. I'm shopping now for an out-of-the-box solution and talkiing to a programmer to posibly contract him to write what I need. Beyond ACL/NTFS is beyond my scope.

Thanks again,
-MP
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.