NTFS Permission Structure to allow Traversal but no Modification except in Leaf Nodes?
Posted
by
pepoluan
on Server Fault
See other posts from Server Fault
or by pepoluan
Published on 2012-11-14T15:23:30Z
Indexed on
2012/11/14
17:05 UTC
Read the original article
Hit count: 325
Assume there's this folder structure:
D:\ --+-- Acctg --+-- Payable
| +-- Receivable
|
+-- Fin --+-- Inv
| +-- Tax
| +-- Treas
|
+-- Mrktg --+-- Ads
+-- Promo
Users are not allowed to change the structure, but they are free to create & delete files & folders in the leaf nodes (i.e., the rightmost folders).
AGDLP principle said that I should assign permissions on the above folders to DL-Groups. Let's say I have a G-Group of users, G-Accounting-Payable, containing users that have access to the D:\Acctg\Payable
folder.
The way I see it, I have two strategies:
-
Strategy 1
Create three DL-Groups and assign them permissions:
- DL-D-Acctg_T -- allowed traversal of
D:\Acctg
folder- DL-D-Acctg-Pay_LF -- allowed listing of
D:\Acctg\Payable
folder contents- DL-D-Acctg-Pay__RW -- allowed full permissions to the contents of
D:\Acctg\Payable
folderAdd G-Accounting-Payable as member to all the above DL-Groups
-
Strategy 2
Create just one DL-Group DL-D-Acctg-Pay__RW, and assign it the proper permissions for each level of the folder.
Then, add G-Accounting-Payable as member to that DL-Group.
-
Which strategy is the Recommended Best Practice, and why?
© Server Fault or respective owner