Inherited vs. explicit permissions

Discussion in 'Windows Server' started by Flybersite, Aug 21, 2013.

  1. Flybersite

    Flybersite MDL Novice

    Aug 21, 2013
    3
    0
    0
    Hello,
    I have a parent directory called: Data
    I've created a child directory in this data folder that is called: final versions
    I've set Modify permissions for a user on the data directory. I've added read rights to final versions for this same user.
    according to the rules, is that explicit permissions go above inherited permissions.

    The way I interpet it is that the Read permissions take precedence (since they're explicit) over the modify rights (inherited). When I try this out the user does have Modify rights on this folder.

    Can anyone explain this behaviour to me?
    Many thanks,
    Glenn
     
  2. kelorgo

    kelorgo MDL Addicted

    Oct 29, 2012
    839
    1,506
    30
    Permission precedences don't work that way. Explicit permissions and Inherited permissions don't take precedence over each, they get combined together, the user has the benefits of both.

    What you need to know instead is that there are two types of permission settings: "Allow" and "Deny". Deny permissions take precedence over Allow permissions.

    What you have to set up in your case:
    * Set the user to have Modify and Read Allow permissions on the Data folder. Set these permissions to be inheritable.
    * Explicitly set a Modify Deny permission for the user on the Final Verions folder. (Careful not to also set Read Deny).

    If you need help with setting Deny permissions, post again.
     
  3. Flybersite

    Flybersite MDL Novice

    Aug 21, 2013
    3
    0
    0
    Hello,

    I've followed your steps above, but whenever I want to click deny for Modify the other checkboxes are checked as well.
     
  4. WinDev

    WinDev MDL Expert

    Jul 6, 2013
    1,226
    1,185
    60
  5. kelorgo

    kelorgo MDL Addicted

    Oct 29, 2012
    839
    1,506
    30
    #5 kelorgo, Aug 21, 2013
    Last edited: Aug 21, 2013
    You are right, I am sorry, I wasn't precise enough. Modify = Read + Write + few others, so as you say, if you check Deny for Modify, it checks everything else too.

    Instead, you have to check Deny for Write, that will almost do what you want. If you also want the person not to be able to delete files, then you have to edit advanced permissions, and also set Deny for Delete (which doesn't show up on the basic permission list).

    Edit: There is actually a different, easier way to achieve what you want, which you might also want to try: Switch off inheritable permissions on the Final Versions folder. You will have to add Full Control permission for yourself, and Read permission for your user.

    To switch off inheritable permissions, under the advanced security settings for the Final Versions folder, untick the check box titled "Include inheritable permissions from this object's parent"
     
  6. Flybersite

    Flybersite MDL Novice

    Aug 21, 2013
    3
    0
    0
    Hello,

    This is exactly what I need. Thanks!