One key concept for managing network storage is permissions. Permissions allow users to access shared resources on a network. Simply sharing a disk doesn't guarantee that a given user can access the data it contains. Windows makes this decision based on the permissions that have been assigned to various groups for the resource and group memberships of the user. If the user belongs to a group that has been granted permission to access the resource, the access is allowed. If not, access is denied.
In theory, the permissions concept sounds simple. In practice, however, it can get quite complicated. This list explains some of the nuances of how access control and permissions work:
Every object-that is, every file and folder-on an NTFS volume has a set of permissions called the Access Control List, or ACL, associated with it.
The ACL identifies the users and groups that can access the object and specifies which level of access each user or group has. For example, a folder's ACL may specify that one group of users can read files in the folder while another group can read and write files in the folder and a third group is denied access to the folder.
Container objects-files and volumes-allow their ACLs to be inherited by the objects they contain. As a result, if you specify permissions for a folder, those permissions extend to the files and child folders that appear within it.
Table 17-1 describes the six types of permissions that can be applied to files and folders on an NTFS volume.
Permission | Description |
---|---|
Full control | Grants unrestricted access to the file or folder. |
Modify | Grants the right to read the file or folder, delete the file or folder, change the contents of the file or folder, or change the attributes of the file or folder. Allows you to create new files or subfolders within the folder. |
Read & Execute | Grants the right to read or execute the file and grants the right to list the contents of the folder or to read or execute any of the files in the folder. |
List Folder Contents | Applies only to folders and grants the right to list the contents of the folder. |
Write | Grants the right to change the contents of a file or its attributes. Grants the right to create new files and sub-folders within the folder. |
Read | Grants the right to read the contents of a file or folder. |
Tip | The six file and folder permissions are composed of various combinations of special permissions that grant more-detailed access to files or folders. Table 17-2 lists the special permissions that apply to each of the six file and folder permissions. |
Special Full Permission | Full Control | Modify | Read & Execute | List Folder Contents | Read | Write |
---|---|---|---|---|---|---|
Traverse Folder /Execute File | √ | √ | √ | √ | ||
List Folder/Read Data | √ | √ | √ | √ | √ | |
Read Extended Attributes | √ | √ | √ | √ | √ | |
Create Files/Write Data | √ | √ | √ | |||
Create Folders/Append Data | √ | √ | √ | |||
Write Attributes | √ | √ | √ | |||
Write Extended Attributes | √ | √ | √ | |||
Delete Subfolders and Files | ||||||
Delete | √ | √ | ||||
Read Permissions | √ | √ | √ | √ | √ | √ |
Change Permissions | √ | |||||
Take Ownership | √ | |||||
Synchronize | √ | √ | √ | √ | √ | √ |
You should assign permissions to groups rather than to individual users. Then, if a particular user needs access to a particular resource, add that user to a group that has permission to use the resource.