Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ACL Issue: Can I create a folder that allows users to create but not edit thier own work?

Posted on 2009-07-10
8
Medium Priority
?
510 Views
Last Modified: 2013-12-04
I require a permissions set on a folder for "compliance" that users have the following permissions:

- Users can list and traverse all folders/files in a share
- Users can read/view all files in that share
- Users can contribute (create new documents/folders) to the share
- Users CANNOT edit any document anyone has creates, NOT EVEN THEIR OWN (Read Only)
- Users cannot delete any file or folder

The jist is that once a document is created or moved to this share it cannot be deleted, appended to, moved or edited. If a user would like to add to or edit a document they would have to save it as a new version or at least with a different name (read only).

The permissions have to be inheritable from the root of the share down though any new file or folder.

After playing with a few iterations it seems that the present structure of Windows ACL precludes this, as the ACL permission Create folders / Append data is necessary to create new data but then allows a user to edit it as well. And I do not know a way to ensure that all new data added to the share becomes read only, even to the owner/creator.

Anyone have a solution to the twisted tangle of ACL permissions?

This is the closest I have come:
"      Users can add files
"      Users can see a list of files
"      Users can edit their own files (MY PROBLEM)
"      Users can read anyone's files or documents
"      Users cannot edit anyone's file

With the ACL permissions:
"      Traverse folder / Execute file
"      List folder / Read data
"      Read attributes
"      Read extended attributes
"      Create files / Write data
"      Create folders / Append data
"      Write attributes
"      Write extended attributes
"      Read permissions

But can I prevent them from editing their own files without saving them as something new (read only)?

Seems there must be a way. As I said, this is for compliance (FDA).
Thanks,
-MP
0
Comment
Question by:mojopojo
  • 4
  • 3
8 Comments
 
LVL 20

Expert Comment

by:Rick Fee
ID: 24822703
This works for me:

Allow           Apply to: This folder, subfolders, and files
  • List folder / read data
  • Read attributes
  • Read extended attributes
  • Create files/ write data
  • Write attributes
  • Read permissions
Deny     Apply to: This folder, subfolders, and files
  • Create folders / append data
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Change permissions
  • Take Ownership
0
 
LVL 6

Expert Comment

by:marce_lito
ID: 24824336
As far as I know, there is no way to do that using only NTFS permissions.  I could be wrong, however.  Despite this, I may have two solutions for your problem:

a) Use shadow copies, where you can have read-only versions of files whenever you need them.  It's a really great feature, a life saver indeed.  The disadvantage with this approach is that it will take snapshots of your files periodically, and not real-time as you would probably want.

b) Use a folder watch program and chown the new files to a different user, so nobody can edit them.  You could write a small CLI program to watch the folders, or you can use a commercial program to trigger a chown on the new files.
0
 
LVL 3

Author Comment

by:mojopojo
ID: 24824548
Yea, I need this "real-time" so solution #1 is out.

EndureKona's solution is nearly viable but users cannot create repository folders to distinguish who added the files, what they are, what client or project they belong to and the like.

I am looking into 3rd party app that would run chown on the root share every time something was added but it feels sloppy. I was hoping I could find a way to do this with NTFS/ACL perms but I think I am up against it.

Anyone want to re-write all of the NTFS ACL protocols?

I'll post if I find a viable solution. Thanks everyone so far. And of course, I welcome additional input.

-MP
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 3

Author Comment

by:mojopojo
ID: 24849183
marce_lito - "b) Use a folder watch program and chown the new files to a different user, so nobody can edit them"

Have you ysed an example of this with any succerss. A lot of what's out there apears tenuous and I am retacent to install it on a production server. I'm building a VM-ware 2k3 box this week. Will be using it for testing some other things too. But still would apreciate any usefull info on packages people have worked with.
0
 
LVL 6

Expert Comment

by:marce_lito
ID: 24849628
Actually, I haven't used a commercial program.  I once wrote one in VB (fairly simple), and I called it using the Task Scheduler.  It was not exactly real-time, but it was good enough for me, as I called the program every minute.  I guess you could achieve the same results using VBscript or some other scripting languages.

You could also download cygwin and the use the 'watch' program and a bash script. It's a simple but effective solution, but I don't know if you would like to use cygwin on a production environment.

I've managed to find this project in Sourceforge:
http://sourceforge.net/projects/dirjack/
Haven't tried it, but I tend to trust projects in Sourceforge much more than commercial apps that look kinda funky....
0
 
LVL 6

Expert Comment

by:marce_lito
ID: 24849636
Also, if you feel like programming, take a look at this thread:
http://www.tek-tips.com/viewthread.cfm?qid=953777&page=1
0
 
LVL 6

Accepted Solution

by:
marce_lito earned 2000 total points
ID: 24852403
Take a look at this:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/Q_20068852.html?sfQueryTermInfo=1+folder+watch

In particular, look at the link of the accepted solution.  It really seems like it would do what you want to do, but it needs some programming effort.  Alas, I'm not a programmer at all and cannot help you with that.

What I do know, almost for sure, however, is that achieving your original objective using only NTFS permissions is not possible.  I've experimented every way possible, but no luck.

A simpler, but heavier solution could be running a script that chowns the entire folder periodically, but it would impose a heavier burden on the server than just chowning the new files, especially if there are many files.
0
 
LVL 3

Author Closing Comment

by:mojopojo
ID: 31602037
Thanks for the help and folloing this thread. I'm shopping now for an out-of-the-box solution and talkiing to a programmer to posibly contract him to write what I need. Beyond ACL/NTFS is beyond my scope.

Thanks again,
-MP
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question