How to set up a folder so that only the creator of a file can modify it?

  • Thread starter Thread starter Thomas Cameron
  • Start date Start date
T

Thomas Cameron

All -

I've mucked about with advanced permissions and I still can't quite get
what I want to work.

I would think this would be easy. Say I have three groups - accounting,
engineering and sales. I create three folders called acct, eng and sales.
I want it set up so that anyone in the group can write to their folder,
but only the person who created a file can modify it later. I want
everyone in the group to be able to read any file, but only the creator
t be able to change it.

How do I do that?

Thanks,
Thomas
 
Give the groups read/list/execute/write permissions and creator owner full
control which is what creator owner usually has. Creator owner should show
as full control for the parent folder of the three folders for acct, eng and
sales for "subfolders and files only" when you view advanced permissions.
Also verify that the file has the owner that you expect after it is
created. --- Steve
 
Actually, that will not satisfy the poster's requirements since
the read/list/execute/write will result in the file defined within
having write granted on it to the group rather than only to the
creating user.

This is a little tricky to accomplish with the NTFS security dialog
as normally things that you grant to Files (Files only, or This folder,
subfolders, and Files, This folder and files, Subfolders and Files only)
will result in the permissions that are applicable to file objects being
set on those files objects at any of the specified levels.

To accomplish what the OP is after here one needs to make use of
the Folder ACE called in the interface Create file.
To do this one may
Grant List to the group, access the Advanced view and highlight
the List grant and Edit it, and finally within the detail edit view
check "Create Files / Write Data". Notice that this is really only
a grant of Create Files since the ACE applies to This folder and
subfolders (i.e. not to file objects).
Then, back on the initial, generic permissions dialog check Read.
If one now goes to Advanced one should see two ACEs for the
group. The new one, Read for This folder, subfolders and files,
and the earlier which shows as Special in the adv dialog and is
applicable to This folder and subfolders, and is a List with the
one added ACE bit.
Another way to do this is
Grant the group Write, and then use the Advanced view to Edit
this so that it applies to This folder and subfolders and so that
all check boxes are cleared except for "Create Files/Write Data".
Then, back at the generic view highlight the group and grant
List folder contents and also grant Read
In both cases one would also grant to Creator Owner , ideally only
Modify but granting other than Full to Creator Owner is really just
a misnomer.
In both cases I have assumed that Execute should not be given to
the group - that these are information / data files and that we do
not want members of the group executing from the storage area.
If they should have execute, then where Read was granted one
would grant Read/Execute.
 
Thanks for catching and correcting that. I missed the part on write only to
their folder and read for any folder. You certainly pointed him to the
solution. --- Steve
 
Back
Top