Permissions
Files.com makes it simple to control user access permissions for folders within your site. Access permissions can be dictated on the user or group level.
Permissions can also be layered together between Group and User settings to provide additional customization to suit individual user's needs.
No matter which method you choose to assign folder access permissions, your changes will automatically apply to impacted users upon saving the permission. This is especially useful when adding a new folder permissions for all users within an existing group.
Permission Options
Site administrators can assign users or groups the following permissions:
| Key | Description | Also Includes/Implies |
|---|---|---|
| Admin | Able to manage settings for the folder. | Share, Full, Write, Read, List, History |
| Full | Able to read, write, move, delete, and rename files and folders. Also grants the ability to overwrite files upon upload. | Write, Read, List |
| Read/Write | Able to list, preview, and download files and folders, and upload files and create folders. | none |
| Read | Able to list, preview, and download files and folders. | List |
| Write | Able to upload files, create folders and list subfolders the user has write permission to. | none |
| List | Able to list files and folders, but not download. | none |
| Share | Able to share files and folders via a share link. | Read, List |
| History | Able to view the history of files and folders and to create email notifications for themselves. | List |
Assigning Permissions
Site administrators will use an identical workflow to create a permission for both groups and users.
To begin, navigate to the appropriate settings page, either Group, User, or Folder.
Use the Add folder permission button to start creating the folder access permission.
Choose the folder you would like to grant permissions for. Sub-folders can be accessed by clicking on the folder icons with a + symbol on them. Folder permissions must be created one folder at a time. You cannot check multiple folders.
In the Add Permission drop down field, select the appropriate access permission.
Finally, select if you would like this permission to apply to all sub-folders from this folder, or only for the folder selected. If you would like to only apply to the selected folder and not the recursive sub-folders, then check the This folder only (not sub-folders) checkbox. With this setting enabled, you are still able to add additional folder permissions for sub-folders by creating a new permission and selecting the sub-folder desired. A full description of permissions levels and the access they grant can be found in the Terms and Symbols section.
Once added, all permissions will be displayed in the table. You may see an asterisk on a permission bubble in the table. This indicates that access to the specified folder has been granted only to the target folder, but not to any of its sub-folders.
To prevent assignment of permissions to non-admin users at the root folder level of your site, enable the Restrict root folder permissions setting. To find this setting, type "Restrict root folder permissions" in the search box at the top of every page and click on the matching result. Once this setting is enabled, it will prevent assigning non-administrators any permissions to the root folder of your site.
Files.com also allows to grant groups and users permission to view the event history for a given folder and the files contained within. This is an additional setting to be combined with another access level permission. To enable this setting, add a new (additional) permission and select the history option in the Add permission dropdown box.
Modifying Permissions
Site administrators are able to revise group folder permissions using a similar workflow. There is no way to edit a specific permission, so you can simply delete the folder permission row and add the updated permission setting. This saves time, increases accuracy, and is duplicatable by all administrators on the account.
While in the Folder permissions setting table, choose the row containing the folder path and click the Revoke button and then click the Yes, delete button to confirm deletion. This will permanently remove the folder permission setting.
Additional permissions can be assigned using the appropriate settings page, either Group, User, or Folder.
Additional permissions can be added by selecting Add new permission and selecting the appropriate access permission, and indicating whether the permissions apply to all sub-folders from this folder, or only for the folder selected.
Group Level Permissions
Most administrators prefer to start by setting folder permissions on the group level. When a user is added to a group, either during new user creation or by editing the user profile, they will automatically inherit all folder permissions assigned to the group.
Examples of access control configurations might involve granting all company users the ability to list and preview files in the Company Documents folder, providing non-administrator members of the IT team full access to all IT department folders along with view history permissions for all other files on the server, and restricting access to the HR folder exclusively to members of the Human Resources department, who can then have Read/Write privileges for the files within.
To view the and modify the permissions for a particular group, type "Groups" in the search box, and click on the matching result. Once on the Groups page, click the group name to open the group profile.
Next, begin adding or modifying permissions as described above. Permissions at the group level should be broad and relevant to that sub-section of users.
User Level Permissions
Often, site administrators will need to grant additional permissions to folders on an individual user basis. This can include folders not-covered in the group definition or even override a folder permission set on the group level.
To view the and modify the permissions for a particular user, type "Users" in the search box at the top of every page and click on the matching result.
Next, begin adding or modifying permissions as described above.
Only folder permissions granted to the individual user are listed in this table. Group permissions are not displayed in the user's profile.
Moving a Folder with Granted Permissions
When a folder is moved on Files.com to a different location, all of its folder permissions, folder settings, as well as notifications will also move. This includes permissions assigned to users and groups.
For Remote Mounts, folder moves initiated from the remote server will not be reflected in Files.com.
Deleting a Folder With Granted Permissions
Deleting a folder that users or groups have been granted permissions to will remove those privileges from all associated users and groups. Adding a new folder of the same name or restoring the folder will not restore those permissions; they must be granted to each of the associated users and/or groups again.
If the deleted folder was a user's FTP root folder, the folder will be automatically created when the user next logs in, but they will not have any assigned rights for the folder.
Online Editors and File Previews
For editing documents in the Files.com editor and Microsoft Office for web, users must have Full permissions on the folder containing the file. Without Full permissions, users can open but not edit the document.
To preview files in the Files.com web interface, users need Read permissions as the file contents are transferred to the browser for rendering. Without Read permissions, users cannot view inline previews, such as thumbnails or grid listings for images, PDFs, and documents.
Modifying permissions such as revoking existing permissions doesn’t immediately affect files already open in online editors like the Files.com Editor and Microsoft Office for Web, or during file previews at the time permissions are revoked. Permissions are revoked when the session expires or the browser tab is closed by the user.
Manage Permissions Within a Folder
Administrators can view, modify, and add both group and user permissions for a specific folder within the folder's settings.
To begin, navigate to the desired folder from the Files panel and then select Permissions.
Click in the Permissions area to view the current group and user access for this specific folder. Here, you can add and modify permissions as described above. Remember that any permission bubbles containing an asterisk * indicate that the user/group has permissions for this folder only and not the recursive sub-folders.
Requiring That Groups be Used for All Permission Assignment
To ensure consistency in how your site is applying permissions, a site administrator can require all Permissions to be assigned only to Groups, and not to individual users.
With this feature enabled, you can ensure that a group permission framework is followed, and no one - whether accidentally or purposely - grants users individual permissions.
To enable this feature, type "Manage all permissions via groups" in the search box at the top of the page and click the matching result. Scroll down to change the Manage all permissions via groups toggle.
Enabling this setting will not remove permissions previously granted to individual users.
Permission Fence
A permission fence allows you to "fence off" a folder, and its subfolders, from inheriting permissions from its parent folders. It allows you to set up new permissions, including new inheritable permissions, within the fenced folder. This gives you greater flexibility for your access permissions and can help when trying to match access permissions from your previous storage solutions.
Permission fences can be created and managed by site administrators and folder administrators.
Permission fences do not apply to, or affect, site administrators. Folder administrators are not affected by permission fences in the folders that they administer.
Permission fences do not apply to notification options such as Email Notifications, SNS Notifications, and Webhooks. These types of notifications can include details of actions that occur within the fence, including metadata such as subfolder names and file names. This also applies to notification settings which are inherited from a parent folder.
Any folder can be configured with a permission fence, even those residing within Remote Mount storage locations, such as folders in Amazon S3, Microsoft Azure, Google Cloud Storage, and other remote servers.
Permission fences can also be set up within other permission fences, allowing for flexible and granular control of folder permissions.
A permission fence cannot be applied to the root folder of your site.
As an example, imagine that you have a folder structure of /Company/Team A/Manager Only/ and that all members of Team A, including the team manager, are placed in a Files.com group named "Team A". The entire team needs to be able to access content in /Company/Team A/ so the "Team A" group has been given full access permissions to this folder. However, the subfolder /Manager Only/ should be prohibited to the team members with the exception of the manager. By applying a permission fence to /Manager Only/ the inherited permissions are blocked and the team members can no longer see or access that subfolder. You can now give access permission for the /Manager Only/ subfolder to the team manager. Now only the team manager can see and access the /Manager Only/ subfolder, even though the whole team has access to its parent folder.
Creating a Permission Fence
Navigate to a folder and select its Folder permissions button. In the Permission Fence section, select the Create New Permission Fence Here option.
If there are any inherited permissions that will be blocked by the new fence then a table will be presented that displays the permissions that are about to be blocked.
Click Create Permission Fence to create the fence.
You can now apply new permissions within this fenced folder.
Removing a Permission Fence
Navigate to a folder and select its Folder permissions button. In the Permission Fence section, select the Remove Permission Fence option.
If there are any inherited permissions that will be reapplied to this folder when the fence is removed then a table will be presented that displays the permissions that are about to be reapplied.
Click Remove Permission Fence to remove the fence.
Removing a permission fence does not remove any permissions that have been applied within the fence. Removing the fence simply allows any inherited permissions from parent folders to no longer be blocked.
Viewing Permission Fence Information
Folders that have a permission fence applied to them will show a fence icon in their Folder permissions button.
Users that are affected by a permission fence will display a fence icon in their Folder permissions information table, which can be found in the user account settings, under the Privileges tab.
Groups that are affected by a permission fence will display a fence icon in their Folder permissions information table, which can be found in the group's settings.
Hovering on the fence icon in the user or group permissions tables will display the path of the folder that contains the fence. Clicking the fence icon will take you to the folder.
Negative Permissions
Negative permissions, also referred to as "negative ACLs", is a term used for when a system allows access permissions to a folder to be specified as a "deny", rather than an "allow", for either a user or group.
With Files.com, users (excepting site administrators) and groups start without access to any folder. Permissions are used to explicitly allow access for that user or group.
Some systems, such as Active Directory, implement negative permissions. Files.com does not have the ability to synchronize negative permissions from Active Directory.
Instead, permission fences can be used to block inherited permissions to folders and provide similar access rules to those implemented using negative ACLs.