ccptechs
asked on
FTP Granular Permissions for subfolders
I have an SBS server with Windows FTP and User Isolation configured. When our client has a new client that needs access, we typically create a new user in AD, then use ADSIEDIT to modify the MSIISFTPROOT and MSIISFTPDIR properties to specify a home folder. They have many users and clients now with this solution and it's been working great so far.
Now they have a new client that wants to create subfolders in their home directory, and they want these subfolders to have granular permissions so that only certain individuals can access the subfolders. Something like this:
User A, B, C, D, and E
Home Folder
Sub Folder 1, 2, 3, and 4
Home Folder has User ABCDE access
Sub 1 has User ACE access
Sub 2 has User ABC access
Sub 3 has User BDE access
Sub 4 has User ACDE access
Can this be done? How would I accomplish assigning granular permissions to this? I understand that I would need to give this particular client multiple user access accounts instead of a single account.
Thanks in advance!
Now they have a new client that wants to create subfolders in their home directory, and they want these subfolders to have granular permissions so that only certain individuals can access the subfolders. Something like this:
User A, B, C, D, and E
Home Folder
Sub Folder 1, 2, 3, and 4
Home Folder has User ABCDE access
Sub 1 has User ACE access
Sub 2 has User ABC access
Sub 3 has User BDE access
Sub 4 has User ACDE access
Can this be done? How would I accomplish assigning granular permissions to this? I understand that I would need to give this particular client multiple user access accounts instead of a single account.
Thanks in advance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, so create the 5 or however many accounts required, and create the home folder. Assign the home folder using ADSIEDIT.
Then use standard NTFS security groups and permissions for the sub folders? And that works over FTP? I presume i'll need to un-check the inheritable permissions tab or is that not necessary? Seems like if I grant READ access to the top level, users would inherit that and be able to read the sub-directories as well?
Then use standard NTFS security groups and permissions for the sub folders? And that works over FTP? I presume i'll need to un-check the inheritable permissions tab or is that not necessary? Seems like if I grant READ access to the top level, users would inherit that and be able to read the sub-directories as well?
Of course NTFS permissions work for FTP. FTP uses the file system and must conform to the granted file system access list.
Yes, no need to allow inheritable permissions. The directory tree under the Home Folder will have at least READ for all users of the whole client group, then the sub-folders will have different access lists based on the client's requirements.
Dan
Yes, no need to allow inheritable permissions. The directory tree under the Home Folder will have at least READ for all users of the whole client group, then the sub-folders will have different access lists based on the client's requirements.
Dan
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
User A, B, C, D, and E
Home Folder
Sub Folder 1, 2, 3, and 4
create Sub-Folder-1 group, grant User ACE membership
create Sub-Folder-2 group, grant User ABC membership
create Sub-Folder-3 group, grant User BDE membership
create Sub-Folder-4 group, grant User ACDE membership
Home Folder has User ABCDE access
Sub 1 has group Sub-Folder-1 has access
Sub 2 has group Sub-Folder-2 has access
Sub 3 has group Sub-Folder-3 has access
Sub 4 has group Sub-Folder-4 has access
You could also create a group for the Home Folder using the same concept. This way if the client adds additional accounts, just grant the user membership in the Home Folder group and the requires sub folder groups.
Dan