Examples

The examples that follow show how to add groups to folders and specify folder permissions. The same considerations hold true for adding groups to application groups and specifying application group permissions.

Providing a group of users access to a folder

Let's say that you want to provide a single group of users access to a folder. Complete the following steps:

  1. With *PUBLIC selected, clear all of the permissions check boxes (this is the default).
  2. Add the group to the folder.
  3. Select the Access check box.

Users assigned to the group automatically obtain permission to open the folder.

Denying a group of users access to a folder

Let's say that you want to prohibit a single group of users from accessing a folder, while allowing all other users defined to the library server to open the folder. Complete the following steps:

  1. With *PUBLIC selected, select the Access check box (this lets all users open the folder).
  2. Add the group to the folder.
  3. Clear all of the permissions check boxes.

Users assigned to the group cannot open the folder.

Providing one group of users access and denying another group of users access to the same folder

Let's say that you want to allow a group of users to access a folder. However, you need to prohibit certain users in the group from accessing the folder. You could exclude the users from the group that can access the folder. However, there might be other folders that you want the users to access as part of the group. To solve this, create two groups, one without access to the folder and the other with access to the folder, and assign the users to the respective groups. For example:

  1. Create the no access group. This group must have a lower GID than the access group. Add users to the group.
  2. Create the access group. Add users to the group.
  3. With *PUBLIC selected, clear all of the permissions check boxes (this is the default).
  4. Add the access group to the folder.
  5. Select the Access check box.
  6. Add the no access group to the folder.
  7. Clear all of the permissions check boxes.

If you later need to deny other users access to the folder, simply add the users to the no access group. You can also move users from one group to the other.

Denying one user in a group access to a folder

Assume that you want to prohibit one user in a group from accessing a folder. After adding the group to the folder and specifying the access permission, all users assigned to the group can open the folder. To override the group permissions, add an individual user to the folder and set permissions at the user level. Complete the following steps.

  1. With *PUBLIC selected, clear all of the permissions check boxes (this is the default).
  2. Add the group to the folder.
  3. Select the Access check box.
  4. Add the user to the folder.
  5. Clear all of the permissions check boxes.

Even though the user belongs to the group, the user cannot open the folder.

Providing one user in a group administrator authority

Let's say that you want to provide one user in a group the ability to administer the folder. Complete the following steps.

  1. With *PUBLIC selected, clear all of the permissions check boxes (this is the default).
  2. Add the group to the folder.
  3. Select the Access check box.
  4. Add the user to the folder.
  5. Select the Administrator check box.

Only the user that you added can administer the folder; the other users in the group can open the folder.

Specifying default permissions

The default permissions that you specify for an application group or a folder will apply to every user or group defined to the library server who is not provided with specific permissions.

For example, suppose that you specify Access as the default permission for an application group. Every user and group that is not provided with specific permissions can access the data that is stored in the application group. Then, you specify Access as the default permission for a folder. Every user and group that is not provided with specific permissions can open the folder. Later, you add a user, without specifying application group or folder permissions. The user can open the folder and access the data stored in the application group.

While default permissions do provide flexibility to maintain your system, you must make sure that using the default permissions does not circumvent your security strategy. Rather than specifying default permissions for application groups and folders, you might want to use groups as a means to implement your security strategy. For example, you can clear all of the permissions under *PUBLIC and then add groups to a folder and specify the appropriate permissions for each group. When you add a user to the system, you can assign the user to a group. The user automatically obtains the permissions of the group. If the group does not have access to a particular application group or folder, then neither does the user. With this strategy, until you assign the user to a group, or provide the user with specific permissions, the user cannot access the folder.