FTP/File Sharing with Complex File Permissions

Sharing corporate information is scary for any IT department unless you have SECURITY and AUDITING.  The good news is SmartFile can help with both.  I’ll save auditing for another post, since security is by far the most frequently touched on area of functionality from potential customers.  In particular, user permissions and access to files is brought up in nearly every enterprise discussion.

SmartFile has both simple and complex security.  Simple security would be when you can set a user’s Home Directory to a specific folder (and subsequently any subfolders) and assign the same permission to all folders and files in that home directory.  A more complex scenario would involve mixed rights to folders, which often times will require leveraging groups and individual file permissions.

 

A recent client had a scenario that many IT professionals can relate to because it mimics the structure of SharePoint permissions.  The scenario also helps display the robust capabilities of SmartFile permissions not only to the web UI but also carries over to FTP.

I’ll use the simplified folder structure below as the example:

\Home\    …\Personal\        …\Jane Doe\        …\Chris Johnson\        …\Bob Professional\    ...\Department\        …\Sales\        …\HR\        …\Finance\    ...\Public\        …\Sales\        …\HR\        …\Finance\

Before doing any work with user permissions, you should have your folder structure set because moving folders and changing names after the fact can have a negative impact.

Let’s say Jane Doe should have full rights for her personal user folder, download (read) only to all public department folders, and download (read)/upload to the Sales department.  This is a perfect scenario for using Groups in SmartFile.

GROUPS – Start by creating a Group that will remove access to all folders in the \Home\Department\ and \Home\Personal\ folders.   I’d recommend calling the group something easy like ‘Remove Department Access’ and ‘Remove Personal Folder Access’.

When you create the Remove Department Access Group, don’t worry about adding users initially, just create the Group.  After the Group is created, select the Group and update the ‘Access’ button. All you’ll need to do is place checkmarks next to \Home\Department\Sales\, \Home\Department\HR\, and \Home\Department\Finance\.  By default you are removing access to these folders because you are assigning no permissions.

permission1

Now repeat this process for ‘Remove Personal Folder Access’.  Select the folders \Home\Personal\Jane Doe\, \Home\Personal\Chris Johnson\, and \Home\Personal\Bob Professional\.

GROUPS – Next create a Group that will assign read access only to the \Home\Public\ folder.  Name the Group ‘Public Folder Read Access’.  You’ll follow similar steps as above, but when selecting the check mark next to each of the appropriate folders, you’ll need to also highlight each folder individually and select the ‘Download (Read)’ and ‘Show Contents’ Permission.  You’ll do this for \Home\Public\Finance\, \Home\Public\HR\, and \Home\Public\Sales\.

permission2

 Name each Group Department Sales Access, Department Finance Access, and Department HR Access, respectively.  This time, you will only select the individual folder and assign ‘Upload (Write),’ ‘Download (Read),’ and ‘Show Contents’ Permission.  See the example for ‘Department Sales Access’ below:

permission3

You’ll need to set Jane’s ‘Home Directory’ as \Home (root) and set her ‘Permissions’ to ‘Show Contents’.  (There are two important notes here.  1) Permissions assigned to a user’s Home Directory by default cascade down to all files and folders unless otherwise directed and 2) the Role assigned impacts the availability of features for a user and does not directly impact file access/permissions.)

permission4

 If we made no further updates to Jane Doe, she would be able to see files and folders exist, but she would not be able to download, upload, or delete.  By assigning Jane to the appropriate Groups and granting her explicit rights to the \Home\Personal\Jane Doe\ folder, SmartFile will aggregate the permissions and share content with the appropriate security.

 Select the checkmark next to Jane Doe and select ‘Edit User’.  Select the Groups button and add ‘Remove Department Access’, ‘Remove Personal Access’, ‘Department Sales Access’ and ‘Public Folder Read Access’.  These Groups will eliminate access to all folders in the \Home\Personal\ directory, create read only access in the \Home\Public\ directory, and eliminate access to all folders in the \Home\Department\ folder ONLY to grant back access to upload and download (read) to the \Home\Department\Sales\ folder.

permission5

USERS – Finally, grant Jane Doe permission to her personal user folder.  Select the checkmark next to Jane Doe and select ‘Edit User’.  Select the Access button.  There will only be a checkmark next to \Home(root) at this point, and that is correct.  Remember by default, permissions assigned to the Home Directory (Show Contents in this case) cascade down unless otherwise directed.  Expand the directory and select the checkmark next to \Home\Personal\Jane Doe\ and highlight the path.  Select the ‘Select All’ Permission.

permission6

 Now when Jane signs in via the web interface or FTP/SFTP, she’ll see the following:

\Home\ (Show Contents)    …\Personal\ (Show Contents)        …\Jane Doe\ (Full Permissions)    ...\Department\ (Show Contents)        …\Sales\ (Upload (Write) and Download (Read))        …\HR\ (Upload (Write) and Download (Read))        …\Finance\ (Upload (Write) and Download (Read))    ...\Public\ (Show Contents)        …\Sales\ (Download (Read)))        …\HR\ (Download (Read)))        …\Finance\ (Download (Read)))

*Notice that \Home\Personal\Bob Professional\ and \Home\Personal\Chris Johnson\ are hidden because rights were removed.

If you have any questions about permissions or access, please leave them in the comments below!

SmartFile is a business file mangement platform that gives you more control, compliance and security.

TO SIGN UP