Set Folder Membership

You can specify which users have access to folders as well the level of their access by assigning members to folders. Folder members can be individual users or groups of users. By default, no members are assigned to folders, meaning that all users have access to all folders. Once members are assigned to the Access Control List (ACL) for a folder, any users requiring access to that folder must be assigned to Access Control List for that folder.

A folder that does not have an Access Control List defined uses role-based security. Once an ACL is defined for a folder, the ACL permissions combine with the role based permissions to create a more restrictive and more focused security model (object-based security). Roles are used first to determine permissions and then the ACL allows you to be more restrictive. For example, a user with a read-only role will never have more than read-only access regardless of the ACLs to which they belong. Conversely, if a user is assigned a role with full permissions, an ACL can be used to restrict that user within specific folders. The ACL can never give a user more permissions than the roles assigned to the user. When adding users to an ACL, consider the roles assigned to the users and restrict the users accordingly within the folder structure.

By default, the Administrator role has read access to all folders. The best practice for creating a vault security model is to first create an administrator group containing all of the administrators. Add the administrator group to the ACL to the top most folder in the vault, giving the group full access. Once the administrator group has been granted access, create groups and assign users to the groups. By assigning users to groups and then granting folder membership to those groups, you can easily manage users and their access to vault folders. By default, every new user is added to the Everyone group. If the Everyone group is granted membership to a folder, all new users will have access to that folder.

1. Right-click on a folder and then select Properties or choose Properties from the File menu.
2. In the Properties dialog box, select the Security tab.
3. The Access Control List shows the users and groups associated with the current folder and their permissions.
   Note: If the Access Control List is empty, all users have access to all folders. Once any members are assigned to the Access Control List for a folder, any users requiring access to that folder must be assigned to Access Control List for that folder.

Add a Member to a Folder

1. Click Add.
2. In the Add Members dialog box, select the users or groups to assign to the current folder and then click Add.
3. Click OK.
4. The Access Control List lists the members of the folder. Select a member for whom to configure the folder permissions.
5. In the Permissions box, enable or disable the Allow and Deny check boxes for each permission.

   Permission	Access
   Read	Allow-Files can be viewed from the folder. Deny-The folder and Files cannot be viewed. If a member is denied read access then they are not allowed Modify or Delete access either. None-Files can be viewed provided that the member is not explicitly denied access based on state security.
   Modify	Allow-Files can be modified. Deny-Filles cannot be modified. None-Files can be modified provided that the member is not explicitly denied modify rights based on state security.
   Delete	Allow-Files can be deleted Deny-Filles cannot be deleted. None-Files can be deleted provided that the member is not explicitly denied delete rights based on state security.

   For example, for Read-only access, select the Allow check box for Read, and the Deny check box for Modify and Delete.

6. Click OK.
7. If the security has been changed on a folder containing subfolders, you are prompted to select how the security changes are propagated to the subfolders. Select a method of propagation and then click OK.

Remove a Member from a Folder

1. From the Access Control List, select a member of the folder.
2. Click Remove.
3. Click OK. The selected member can no longer access the folder.
Note: Select Deny for all three permissions to restrict a member of a group from accessing a folder to which the group has access. Add the restricted member as an individual on the Access Control List and then set the permission for that member to No Access.