Книга: Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

Understanding file and folder permissions

Understanding file and folder permissions

The basic permissions you can assign to files and folders are summarized in Table 4–2. File permissions include Full Control, Modify, Read Execute, Read, and Write. Folder permissions include Full Control, Modify, Read Execute, List Folder Contents, Read, and Write.

TABLE 4–2 File and folder permissions used by Windows Server 2012 R2

PERMISSION MEANING FOR FOLDERS MEANING FOR FILES
Read Permits viewing and listing files and subfolders Permits viewing or accessing a file’s contents
Write Permits adding files and subfolders Permits writing to a file
Read + Execute Does not permit viewing the contents of files. You can list file and folder names, but you can’t open files to read, nor can you execute files if that execute requires opening the file (as in a batch or PS1 file). Inherited by files and folders. Permits viewing and accessing a file’s contents in addition to executing a file
List Folder Contents Permits viewing and listing file names and subfolder names in addition to executing files; inherited by folders only Not applicable
Modify Permits reading and writing of files and subfolders; allows deletion of the folder Permits reading and writing of a file; allows deletion of a file
Full Control Permits reading, writing, changing, and deleting files and subfolders Permits reading, writing, changing, and deleting a file

Any time you work with file and folder permissions, you should keep the following in mind:

? Read is the only permission needed to run scripts. Execute permission doesn’t matter.

? Read access is required to access a shortcut and its target.

? Giving a user permission to write to a file but not to delete it doesn’t prevent the user from deleting the file’s contents.

? If a user has full control over a folder, the user can delete files in the folder regardless of the permission on the files.

The basic permissions are created by combining special permissions in logical groups. Table 4–3 shows special permissions used to create the basic permissions for files. By using advanced permission settings, you can assign these special permissions individually, if necessary. As you study the special permissions, keep the following in mind:

? By default, if no access is specifically granted or denied, the user is denied access. Further, if a permission has been explicitly denied, the deny will override any permission grant.

? Actions that users can perform are based on the sum of all the permissions assigned to the user and to all the groups of which the user is a member. For example, if the user GeorgeJ has Read access and is a member of the group Techies, which has Change access, GeorgeJ will have Change access. If Techies is a member of Administrators, which has Full Control, GeorgeJ will have complete control over the file. However, if GeorgeJ has been explicitly denied a permission, the deny will override any grant.

TABLE 4–3 Special permissions for files

SPECIAL PERMISSIONS FULL CONTROL MODIFY READ+EXECUTE READ WRITE
Traverse Folder/Execute File Yes Yes Yes
List Folder/Read Data Yes Yes Yes Yes
Read Attributes Yes Yes Yes Yes
Read Extended Attributes Yes Yes Yes Yes
Create Files/Write Data Yes Yes Yes
Create Folders/Append Data Yes Yes Yes
Write Attributes Yes Yes Yes
Write Extended Attributes Yes Yes Yes
Delete Subfolders And Files Yes
Delete Yes Yes
Read Permissions Yes Yes Yes Yes Yes
Change Permissions Yes
Take Ownership Yes

Table 4–4 shows special permissions used to create the basic permissions for folders. As you study the special permissions, keep in mind that when you create files and folders, these files and folders inherit certain permission settings from parent objects. These permission settings are shown as the default permissions.

TABLE 4–4 Special permissions for folders

SPECIAL PERMISSIONS FULL CONTROL MODIFY READ+EXECUTE LIST FOLDER CONTENTS READ WRITE
Traverse Folder/Execute File Yes Yes Yes Yes
List Folder/Read Data Yes Yes Yes Yes Yes
Read Attributes Yes Yes Yes Yes Yes
Read Extended Attributes Yes Yes Yes Yes Yes
Create Files/Write Data Yes Yes Yes
Create Folders/Append Data Yes Yes Yes
Write Attributes Yes Yes Yes
Write Extended Attributes Yes Yes Yes
Delete Subfolders And Files Yes
Delete Yes Yes
Read Permissions Yes Yes Yes Yes Yes
Change Permissions Yes
Take Ownership Yes

Оглавление книги


Генерация: 0.065. Запросов К БД/Cache: 0 / 0
поделиться
Вверх Вниз