Skip to main content

Trinity College Dublin, The University of Dublin

Trinity Menu Trinity Search



You are here Data Storage and Sharing > NAS Data Storage > File sharing - Managing File Access

File Sharing - managing file access

This article provides information on how to configure permissions to limit who can access shared files or files on a managed server. This article is applicable to anyone using a Windows PC connected to the College network in offices and labs.

Understanding NTFS permissions

If you want to securely share files from your computer or if you are managing a Network Attached Storage folder, you will need to be familiar with NTFS permissions. NTFS is currently the preferred file system used in Windows environment. This allows you to control which users and groups can access files and folders on an NTFS file system.

Standard NTFS permissions

The table below explains the meaning of available permission settings.

Once you set the relevant permission level, based on the steps below, it is advisable that you check with the user that it matches what they can actually access.

Permission

Meaning for Folders

Meaning for Files

Read

Permits viewing and listing of files and subfolders

Permits viewing or accessing of the file's contents

Write

Permits adding of files and subfolders

Permits writing to a file

Read & Execute

Permits viewing and listing of files and subfolders as well as executing of files; inherited by files and folders

Permits viewing and accessing of the file's contents as well as executing of the file

List Folder Contents

Permits viewing and listing of files and subfolders as well as executing of files; inherited by folders only

n/a

Modify

Permits reading and writing of files and subfolders; allows deletion of the folder

Permits reading and writing of the file; allows deletion of the file

Full Control

Permits reading, writing, changing, and deleting of files and subfolders

Permits reading, writing, changing and deleting of the file

How to set permissions

  1. Right-click on the folder whose permissions you wish to change, and click on Properties.
  2. Select the Security tab.
  3. Click Edit.
  4. Click Add.
  5. Enter the relevant username or group name and click Check Names. If the name is valid, it should become underlined. Click OK.

    Note that some permission groups e.g. for an entire department, are updated automatically based on HR records when new staff start or exiting staff leave. However, other custom permission groups are not automatically updated and require a request to be sent to IT Services to have the new staff member added or an older staff member removed. If you need clarification about any group and whether the membership is automatically updated please contact the IT Service Desk.


    Windows permissions

  6. Select the required permissions and click OK

    Windows permissions

  7. Repeat steps 5-7 for all relevant users and user groups. Do not remove the listing for Domain Admins.

Understanding Inheritance

By default, objects within a folder inherit the permissions from that folder when the objects are created. However, explicit permissions take precedence over inherited permissions. So, if you grant different permissions at a lower level, the lower level permissions take precedence.

When you view the permissions, they will be one of the following

  • Checked: Permissions are explicitly assigned.
  • Cleared (unchecked): No permissions are assigned.
  • Shaded: Permissions are granted through inheritance from a parent folder.

Disabling inheritance for a group

To remove permissions inheritance for a group, you must turn off the option for inheriting permissions and then remove the group in security tab.

To disable inheritance for a group

  1. Right-click the file or folder and select Properties.
  2. Select the Security tab.
  3. Click the Advanced button.
  4. Click the Permissions tab.
  5. Click Change Permissions.
  6. Deselect Include inheritable permissions from this object's parent.
  7. Click Add to convert inherited permissions to explicit permissions.
  8. Click OK, click OK again.
  9. You can now remove group permissions as per how to set permissions above, but do not remove the listing for Domain Admins

Denying access

Besides granting the Allow permissions, you can also grant the Deny permission. The Deny permission always overrides the permissions that have been granted.

Inherited vs effective permissions

Because users can be members of several groups, it is possible for them to have several sets of explicit permissions to a folder or file. When this occurs, the permissions are combined to form the effective permissions, which are the actual permissions you have when logging in and accessing a file or folder. They consist of explicit permissions plus any inherited permissions.

Checking who has effective permissions

To view the NTFS effective permissions

  1. Right-click the file or folder and select Properties.
  2. Select the Security tab.
  3. Click the Advanced button.
  4. Click the Effective Permissions tab.
  5. Click Select, type the name of the user or group you want to view. Click OK.