cancel
Showing results for 
Search instead for 
Did you mean: 

Removing "None" permission via API

Larry Keyes1
Vigilante

Removing "None" permission via API

We have run into the issue of a user being assigned indiviudual "none" permissions to a folder when they actually should have permissions via inheritance. Example: 

User Mary Smith is given editor permission to folder "Level 2" 

User Mary Smith is added to a group which has editor permission to folder "Level 1"

Folder Level 2 inherits permissions from Level 1 

User Mary Smith's individual permission to Level 2 is removed....thus she is assigned "None" permissions to folder level 2.   Mary Smith can no longer access Level 2, even though she is a member of the group which has editor rights to Level 1.  Individual perms trump inherited perms, or group perms. 

My understanding there is no way to revoke "none" permissions via the API or any other way, other than reassigning the indiviual permissions back to the folder.

While i don't wish to re-debate the model here.... can someone give an explanation of how this might be fixed using the API?  For example, I could imagine some kind of recursive traverse of the folder tree...that looks at all the permissions and assignments to find all the "none" folder permissions,  and then goes back up the inherited folder hierarchy and group memberships to ascertain whether the person should in fact have access, and  then reassign permissions,  or not as the case may be.  

Labels (2)
0 Kudos
4 Replies
Community Manager GregNeustaetter
Community Manager

Re: Removing "None" permission via API

@Larry Keyes1 , the behavior of the permissions model is actually different from what you've mentioned.  A "none" permission on a folder isn't like a "deny" in the NTFS permissions model, instead, it ignores the parent permissions above that folder for the user/group it is set on.  This means that if a user has a "None" for a folder but "Editor" for a group they belong to, the user still has access to the folder.

In terms of removing a none via API, the only option today is to set the same permission as the one that is next set in the hierarchy, e.g. setting "Editor" on L2 for Mary Smith.

 

0 Kudos
Larry Keyes1
Vigilante

Re: Removing "None" permission via API

Hi, Greg,  many thanks for your reply.  I'm still trying to wrap my head around this.  

>>>>>>>>>

@Larry Keyes1 , the behavior of the permissions model is actually different from what you've mentioned.  A "none" permission on a folder isn't like a "deny" in the NTFS permissions model, instead, it ignores the parent permissions above that folder for the user/group it is set on.  This means that if a user has a "None" for a folder but "Editor" for a group they belong to, the user still has access to the folder.

>>>>>>>>>>

If I'm reading the above.... 

1. "None ignores the parent permissions above the folder for the user/group it is set." 

2. Thus,  even if the user has Editor as a group permission.... based on your first statement, that suggests that they will not have access to the folder, because individual rights trump group rights, and the none flag for that individual will override the group editor rights.  

This is in fact the problem that we have experienced in our large corporate Egnyte installation. The use case here is: 
1. A folder is created down in the hierarchy somewhere, with a few users added with individual Editor permissions.
2. Eventually,  the number of individuals seems to be excessive, so the manager puts them all in a group, removes the individual permssions, and assigns the Editor rights to the group. 
3. There is no visual notification that this procedure is going to prevent the users having access to the folder, either to the users or the manager.  The first manifestation of the problem is that the users come to us and say they can't access the folder. 

Am I missing something?    

 

0 Kudos
Community Manager GregNeustaetter
Community Manager

Re: Removing "None" permission via API

@Larry Keyes1 I think you should reach out to our support team and send a folder permissions report with the option to expand to group members turned on so that we can figure out what is going on.

Even if there is a none, the group permission should still apply since the none on the individual just means that for that folder the system ignores the parent folder permissions for that user.  If the user belongs to a group and that group has permissions they should still be able to see the folder.

0 Kudos
Larry Keyes1
Vigilante

Re: Removing "None" permission via API

Thanks. Greg.... I will try to wire up a use case here, per your suggestions with the report.   

0 Kudos