12.2 Understanding Roles and Sharing

Users can share both files and folders in their My Files area, but Net Folders restrict sharing to only files.

When users send share invitations, they must designate the role that they want the user receiving the share to have for the file they are sharing. For more information about user roles, see Section 4.4, Access Through Filr Involves One of Four Possible Roles.

The following are a few foundational concepts that Filr administrators should understand regarding user roles and sharing.

12.2.1 User Roles and Sharing

When users receive share invitations, they also receive one of three user roles: Viewer, Editor, or Contributor. For more information, see Section 4.4, Access Through Filr Involves One of Four Possible Roles.

Users who receive and accept share invitations can then access shared files through the proxy user assigned to the Net Folder where the file lives.

If multiple users share the same item with a single user, the user receiving the share has the highest role that was shared. For example, if User B shares a file with User A and grants User A Viewer rights to the file, and then User C shares the same file with User A and grants Editor rights to the file, User A has Editor rights to the file.

12.2.2 Users Can’t Grant Share Roles That They Don’t Have

Users with Contributor rights on folders can grant Viewer, Editor, and Contributor rights to other users as Filr system share and Net Folder share settings allow.

On the other hand, Users with Viewer rights on folders can only grant Viewer rights to other users with whom they are allowed to share.

12.2.3 File System Rights Also Affect the Ability to Assign Share Roles

Sharing of files and directories involves an additional layer that provides access and manages what those who are granted rights to share files can actually do.

For users to grant Viewer, Editor, or Contributor rights to another user, they must have the minimum rights that those roles require, as outlined in the following tables.

Table 12-1 NSS File System Rights Required for Assigning Filr Roles

Role

Minimum NSS Rights Required

Comments

Viewer

Read (R), File Scan (F)

These are the minimum file system trustee rights that users must have to view files and folders.

Editor

Read (R), Write (W), File Scan (F)

If the Write file system trustee right is added to Read and File Scan, users can then modify file content.

Contributor

Read (R), Write (W), Erase (E), Create (C), Modify, File Scan (F)

or

Supervisor

To perform contributor functions, users must either have all file system trustee rights to the file or folder (except for Access Control) or the Supervisor right to the file or folder.

The presence or absence of Access Control has no meaning in Filr because Filr cannot modify file system trustee rights. A Filr user with the Access Control right on the file system cannot grant file system access to another user through Filr.

It is true that Filr users with sufficient Filr permissions can share access to files and folders with other users, but this is a Filr function that leverages the file system rights of Net Folder proxy users. Access to shared files and folders is independent of any file system rights that individual users have or do not have.

Table 12-2 NTFS Permissions Required for Assigning Filr Roles

Role

Minimum NTFS Permissions Required

Comments

Viewer

Read, Read & Execute, List Folder Content

These are the minimum basic permissions that users must have in order to view files and folders. The default special permissions associated with these basic permissions are also required.

Editor

Read, Read & Execute, List Folder Content, Write

If the basic Write permission is added, users can then modify file content. The default special permissions associated with these basic permissions are also required.

Contributor

Read, Read & Execute, List Folder Content, Write, Modify

or

Full Control

To perform contributor functions, users must either have the basic Modify permission added or they must have the basic Full Control permission. The default special permissions associated with these basic permissions are also required.