4.4 Net Folder Access Involves Four Roles

When users are assigned to a Net Folder, then depending on the rights that users have on the file system or library (see Access Permissions and Filr), Filr assigns them one of four roles, as outlined in Table 4-1.

Table 4-1 Net Folder Roles and the Rights That They Represent

Role

Rights Through Filr

Rights Illustrated

None

No rights

Viewer

  • View Net Folder contents

  • Read existing files

Editor

  • View Net Folder contents

  • Read and Write to existing files

Contributor

  • View, Create, Delete, Rename, Move, and Copy the shared folder and its contents

  • Read and Write to existing files

.

The file system and library rights required for each Net folder role are illustrated and explained in the following sections.

4.4.1 Net Folder Roles are Derived, Not Assigned

For Filr users to access Net Folders, Filr administrators must simply grant them access. Granting access is the only Net Folder access control mechanism in Filr. Net Folder Roles are not assigned; they are derived from the access rights that users have on the target file systems, as outlined in the sections that follow.

4.4.2 Net Folder Role Requirements on NSS File Systems

For eDirectory users to function in Net Folder roles, they must have the NSS rights illustrated and explained in Table 4-2. If the minimum requirements for the Net Folder Viewer role are not met, they have no access through Filr as explained in Net Folder Role Requirements Are Rigidly Enforced.

Table 4-2 NSS File System Rights Required for Net Folder Roles

Role and Minimum NSS Rights Required

Comments

To view files through Filr, eDirectory users must have both Read and File Scan file system trustee rights on the target file or folder.

To modify file content through Filr, eDirectory users must have the Write file system trustee right in addition to Read and File Scan.

To perform contributor functions, eDirectory users must either have

  • All file system trustee rights to the file or folder (except for Access Control)

    Or

  • The Supervisor right to the file or folder

The presence or absence of Access Control has no meaning in Filr because Filr cannot modify file system trustee rights. A Filr user with the Access Control right on the file system cannot grant file system access to another user through Filr.

It is true that Filr users with sufficient Filr permissions can share access to files and folders with other users, but this is a Filr function that leverages the file system rights of Net Folder proxy users. Access to shared files and folders is independent of any file system rights that individual users have or do not have.

4.4.3 Net Folder Roles on NTFS File Systems

For Active Directory users to function in Net folder roles, they must have the NTFS file system permissions illustrated and explained in Table 4-3. If the minimum requirements for the Net Folder Viewer role are not met, they have no access through Filr as explained in Net Folder Role Requirements Are Rigidly Enforced.

Table 4-3 NTFS Permissions Required for Net Folder Roles

Role and Minimum NTFS Permissions Required

Comments

To view files and folders through Filr, Active Directory users must have Read, Read & Execute, and List Folder Content basic permissions on the target folder.

The default special permissions associated with these basic permissions are also required.

To modify file content through Filr, Active Directory users must have the basic Write permission in addition to Read, Read & Execute, and List Folder Content basic permissions on the target folder.

The default special permissions associated with these basic permissions are also required.

To perform contributor functions, users must either have

  • The basic Full Control permission

    Or

  • The basic Modify permission included with the privileges required for the Editor role (Write, Read, Read & Execute, and List Folder Content)

    IMPORTANT:The default special permissions associated with these basic permissions are also required as illustrated.

4.4.4 Net Folder Roles on SharePoint

For SharePoint users to function in Net folder roles, they must have the SharePoint permissions illustrated and explained in Table 4-4. If the minimum requirements for the Net Folder Viewer role are not met, they have no access through Filr as explained in Net Folder Role Requirements Are Rigidly Enforced.

IMPORTANT:It is a common practice for SharePoint administrators to create customized permission lists that do not include the Use Remote Interfaces permission.

Filr uses a REST interface to communicate with the SharePoint system. Therefore, you must ensure that the Use Remote Interfaces permission is enabled for all SharePoint users and groups that access Filr. Otherwise, those using desktop clients and mobile devices will not be able to access SharePoint using Filr.

The Use Remote Interfaces permission is marked with an asterisk (*) in Table 4-4 below to emphasize this point.

Table 4-4 SharePoint Permissions Required for Net Folder Roles

Role and Minimum SharePoint Permissions Required

Comments

IMPORTANT:SharePoint users’ Net Folder roles are derived not only from their rights to the SharePoint folder but also from rights that are "shared" with them within SharePoint.

For example, User B has access to Net Folder-1 and based on its SharePoint rights, can view File-X.

Working in Sharepoint, User A shares File-X with User B and grants "Can Edit" privileges.

User B now has sufficient Filr rights to rename File-X.

To view files and folders in SharePoint document libraries, SharePoint users must have the Browse Directories, Browse User Information, Use Remote Interfaces*, and View Items permissions in the document libraries.

To modify file content, SharePoint users must have the Edit permission in addition to the permissions required for the Viewer role.

To perform contributor functions, users must have the Add Items and Delete Items permissions in addition to all of the permissions required for the Viewer and Editor roles.