Enhance Security with Egnyte File and Folder Permissions

Collaboration is a key driver of growth in today’s fast-moving business landscape. Your online file server must come equipped with multiple layers of scrutiny and security to ensure that employees can accomplish their work goals without compromising sensitive data or content.

Folder permissions, and subsequently  file permissions, must be flexible enough to enhance collaboration with business associates, suppliers, vendors and customers outside the company network.

Understanding User and Permission Levels

Users in Egnyte fall into three broad categories – Administrator, Power User and Standard User.

Administrators

Administrators are the highest level in the hierarchy of user levels and have folder and file access throughout the entire Egnyte account. Nobody can prevent them from accessing specific folders. They can create power users, standard users and groups (for permission assignments). Administrators control license and subscription settings, create root-level folders, etc.

Power Users

All employees within an organization are usually assigned this user level. They can access all the Apps like Mobile Apps, Web UI, Desktop App, etc. Power Users can assign permissions to standard users, create folders, and perform specific Admin tasks allowed by Administrators.

Standard Users

You can give your company’s vendors, business partners, and customers access to specific shared folders as Standard Users. Unlike plain sharing, which only offers preview and download access, standard users can edit the content of the folder they have received permission for. They do not have access to other Apps and cannot share any folders or links themselves.

Permission levels fall into four broad categories - Viewer, Editor, Full, and Owner.

Viewer

Viewers have only read access to the contents of a folder. They can download files and make local copies.

Editor

In addition to Viewer privileges, Editors can edit files and upload new content. They can create Upload Links and sub-folders within the main folder they have access to.

Full

In addition to Editor privileges, individuals with Full permission can rename and move files and folders. They can also delete files, specific versions of files, folders, and more.

Owner

Owners have complete authority over folder permission management. They decide how folders are shared across parties.

Utilising Folder Permissions for Enhanced Security

Let’s explore how to manage permissions at the folder level.

Inheritance

By default, folders inherit all of the permissions of their parent folder. However, you can follow the steps below to override this setting to protect sensitive content that only a restricted user base can access.

  • Toggle the Parent Folder Permissions Are Inherited to OFF. You will receive two options.
  • Remove Inherited Permissions ignores all the users of the parent folder. You can add fresh users or groups one at a time to this folder alone.
  • Keep Existing Permissions helps you copy all the parent folder users and then remove or change a couple. Going forward, any changes to the parent folder permissions will not impact this child folder.

 

Inviting Users from Within Your Network

On your folder, click on the Share–Manage Folder Permissions menu. You will see a list of all users who have access to it already. Enter the group or user name to share with a colleague or a group of colleagues. Set the permission you would like for them and Add it. An invitation will go out to them to access the content.

Inviting Users from Outside Your Network

Let’s say you want a vendor or customer to have file access to edit certain information. Proceed the same way as before and enter their email address. The system will identify them as non-account users and add them as Standard Users.

They will now receive a link through which they can access the folder’s contents and all sub-folders that have inherited the parent folder’s permissions.

Managing Granular Permissions & Conflict Handling

Granular folder permissions provide the freedom to control content access at the most basic possible level while adhering to your existing file structure and permission hierarchy. However, this means that someone can have access to a parent folder and may be denied access at a sub-folder level. How do such conflicts get resolved without creating a security hassle?

File permissions are not assigned. All files in a folder have the same permissions as assigned at the folder level.

User Over Group

When dealing with such conflicts, user permissions always trump group permissions. Assume a folder has provided Full access for the entire Finance team. However, it has explicit Editor access for Jack, one of the Finance team members. When Jack accesses the folder, he will have Editor access.

Highest Level from All Groups

If a user is part of multiple groups with access to a folder, they get assigned the highest-level permission from among all groups. For example, if Jack has Full access to a folder as part of the Finance group and Editor access as part of the Payroll group, he will have Full access to all folders shared with all his groups.

Folder and Sub-Folder Conflicts

Permissions at a sub-folder level for a user or group will override permissions from the parent. So, if Jack has Full access to the Finance folder and Viewer access to the Payroll folder, which is a sub-folder of Finance, he will have Viewer permissions to Payroll.

Excluding One User from a Group

Excluding a single user from a group is not possible. If a group has permission to a folder, all group users can access it. The only option here is to specifically assign lower access levels to individual users from the group.

NONE permissions

These can be only set through the Permissions API. It denies the specified groups or users any access to the folder. However, if the user with NONE folder permissions belongs to a group with permission to the folder, the permission will be overridden.

Using Permission Migration

For enterprises with an existing on-premises file share system, migrating permissions to the online server is a crucial step while moving to the cloud. The Migration toolkit directly integrates with Active Directory (AD), Single Sign On (SSO), and other similar authentication systems to automate permission settings.

First, users must extract the folder permissions from the source. Next, they should map them to Egnyte and finally, apply the permissions to the folder on the online server.

Important Points to Consider

  • Permissions migration is all or nothing. Hence, it must be done right at the end, just before cutting over, after migrating all the content and creating all the users and groups. If a repeat has to run, it will run all over again, from scratch.
  • Migrations only consider folder permissions since Egnyte does not create file permissions. The first two steps in the migration process, extraction from source and mapping, take a very long time. These processes are not visible on the Migration Dashboard. The status starts appearing only from Step 3.
  • Path names for folders cannot run more than 256 characters. Hence, if the source has any folder structures, it must be shortened or moved so the job does not fail.
  • The Migration Summary will indicate any errors during the job run, including missing users or groups. Once these are created on the online server, you can choose to manually assign permissions or run the entire job again.
  • The Permission Simulation App allows you to simulate the permissions migration process so you can identify any missing users or groups beforehand, thus saving you time in reruns.

Permissions Browser

The Permissions Browser gives you access to a high-level view of your permissions hierarchy. It helps you monitor sensitive content with the following features:

  • Quickly search users and groups and get a listing of which folders they can access.
  • View the permission levels assigned to users and groups and who assigned the folder permissions.

 

Permissions By Folders

Navigate to a folder of interest using the hierarchy tree. You will see a list of all users that have access to this folder and their permission levels. You can check whether the permission was handed to them explicitly or if they inherited it by being part of a group. Folders with sensitive content are highlighted so that you can pay special attention to their file access policies.

Permissions By Users and Groups

The feature effectively allows administrators to view the content hierarchy as seen by a specific user. You can type the name of a user or a group and get a detailed listing of the folders they can access and the permission levels.

Permissions Report

Administrators and Power Users with reporting roles can access two Permissions Reports in the form of a spreadsheet. It shows all the folders and sub-folders with permissions at each level.

Folder Permissions Report

Accessible from Report Center -> Permission Reports -> Folder Permission Report. You can view more details about the process on the Egnyte Helpdesk page.

It allows you to run the report for a particular folder or folder and all of its sub-folders.

The report can also display folder permissions for each user in a group based on your request.

User and Group Permissions Report

Accessible from Report Center -> Permission Reports -> User and Group Permissions Report. You can view more details about the process on the Egnyte Helpdesk page.

Type in all the users and groups you would like to include in the report.

Once you complete the list, click the Generate Report button.

Frequently Asked Questions

  1. Can I modify permissions for an Administrator for a specific folder? 

    A: No, administrators, by design, have owner access to all folders. You cannot modify their permissions at all. If such a need may arise, assign people as Power Users and assign them admin-specific rights in their role administration.

  2. How can I prevent any folder from being accidentally deleted?

    A: The default setting allows users with Full access to delete and move folders. However, Owners and Administrators can choose to grant permission to delete or move a folder. Enable the Fixed folder setting, where only an administrator or an owner can move or delete a folder to prevent accidents. 

  3. What is a private folder?

    A: All power users, which includes all employees of an organization, have a private folder set up under the root or Shared folder. This folder has their user name assigned to it. It is only accessible to the employee and the group of Administrators. You cannot modify permissions on private folders. 

  4. How can I see all the users that have permissions to a particular folder?

    A: There are two options here.  

    The Folder Permissions Report allows you to see a list of all the users, including those in groups, with access to a folder and its sub-folders. The report also includes their individual permissions. Administrators and Power Users with reporting authority can run the report.

    Alternatively, a folder Owner can open the Manage Folder Permissions window and view the permissions for that folder alone. They cannot access the sub-folder permissions.  

  5. Which is better – turning off inheritance or removing permissions? 

    A: We provide both options to allow users maximum flexibility while setting up file permissions. However, we advise users to put highly sensitive content in a folder with inheritance turned off. Let’s better understand why:

    Case 1: Users A and B are allowed Editor permissions to folder Finance. Let’s say, you create a folder Budget as a sub-folder under Finance. You explicitly remove User B from having access to this folder.  

    Case 2: Users A and B are allowed Editor permissions to folder Finance. Assume you create a folder Budget as a sub-folder under Finance. You create this folder by turning off inheritance and adding User A as the only user with permission to the folder.

    Now, User C is added by an owner to the Finance folder with Editor permissions. As per Case 1, User C now has Editor permission in the Budget folder as well. However, as per Case 2, User C does not have permission to the Budget folder. 

Ready To Learn More