Understanding User Roles and Share Authorization
Overview:
User roles in Shares determine a user's permissions to access and perform actions on a share. There are three user roles for an account authorized to access a share: administrators, managers, and regular users. Admins have full permissions to view, modify, and remove all existing shares and users. Managers have permissions to view, modify, remove shares for which they have authorization to manage. Users have permissions depending on the authorizations given them by admins and managers. User, group, and directory service accounts must be authorized to access a share. If authorized, a user can perform the following actions on a share:- Browse
- Upload
- Download
- Make directory
- Delete directory or file
- Rename
Authorization Precedence
- Authorizations can be granted to users, groups, and directory services.
- Authorization at the user level takes precedence over the user's group or directory service authorizations.
- In the absence of user level authorization, a user is granted the union of all authorizations for the groups and directory services to which the user belongs.
Administrators
Users with the admin permission are authorized to create new shares and users, as well as to modify or remove any or all shares and users.- Nodes are only visible to administrators.
- All administrators are authorized to create, edit, and delete any or all nodes and shares.
- Only administrators can create, edit, and delete top-level shares.
Managers
Administrators can use the manager permission to delegate the creation of shares and users to another user without giving that account full administration privileges. Like administrators, managers can view, edit, and remove share authorizations but only for shares that they manage. Assigning a user to a share as its manager gives that user administrative privileges for that share and all inherited subdirectories. If a user creates a new share within a managed share, the manager of the share has administrative rights to the new share. For instructions on how to authorize manager permissions, see Assigning Users the Manager Role.
Though a user with manager permissions effectively becomes the admin for that share, the following restrictions apply:
- A manager cannot modify or delete the top-level share or any shares above it.
- A manager cannot create a share at the same level of the first share.
- For a manager to administer a group, the manager must have manager permissions for all of that group's shares.
- Managers cannot edit Admin user properties, but they can edit other managers in Admin > Users.
- A manager cannot authorize new users or groups for shares the manager does not manage.
- For a manager to change the password or email of a user, the manager must be a manager of all the shares that user is authorized to access.
Users
Regular users can access any shares for which they have authorizations to access, but the actions they are allowed to take are set and managed by any user with administrative privileges for that share.