ACL Issue: Can I create a folder that allows users to create but not edit thier own work?
Posted on 2009-07-10
I require a permissions set on a folder for "compliance" that users have the following permissions:
- Users can list and traverse all folders/files in a share
- Users can read/view all files in that share
- Users can contribute (create new documents/folders) to the share
- Users CANNOT edit any document anyone has creates, NOT EVEN THEIR OWN (Read Only)
- Users cannot delete any file or folder
The jist is that once a document is created or moved to this share it cannot be deleted, appended to, moved or edited. If a user would like to add to or edit a document they would have to save it as a new version or at least with a different name (read only).
The permissions have to be inheritable from the root of the share down though any new file or folder.
After playing with a few iterations it seems that the present structure of Windows ACL precludes this, as the ACL permission Create folders / Append data is necessary to create new data but then allows a user to edit it as well. And I do not know a way to ensure that all new data added to the share becomes read only, even to the owner/creator.
Anyone have a solution to the twisted tangle of ACL permissions?
This is the closest I have come:
" Users can add files
" Users can see a list of files
" Users can edit their own files (MY PROBLEM)
" Users can read anyone's files or documents
" Users cannot edit anyone's file
With the ACL permissions:
" Traverse folder / Execute file
" List folder / Read data
" Read attributes
" Read extended attributes
" Create files / Write data
" Create folders / Append data
" Write attributes
" Write extended attributes
" Read permissions
But can I prevent them from editing their own files without saving them as something new (read only)?
Seems there must be a way. As I said, this is for compliance (FDA).