Override Folder Security Settings

kolesaa · ‎01-29-2014

quote from Help

Right-click a file, folder, or custom objectin the vault and select Details.
You can also access the Details dialog by selecting Details from the File menu.
In the Details dialog, select the Security tab. The Override Security check box is accessible, even when the security mode is role-based.
Select the Override security check box to enable the Access Control List associated with the fileand manually edit access permissions.
Note: If the Override security check box is selected but no permission changes are made, the system assumes that the user wants to create a new security access control list with the same settings.

I do not understand, this is only applicable to a file or files and folders?

I found a similar unsolved topic: Folder and child overrides?

herrerh · ‎01-30-2014

The steps work for Files, Folders and Custom Obkects. Is that what you're asking since the steps asdie from the first statement only mentions files?

-Hywell

Hywell Herrero
Data Management Support Specialist
Product Support
Autodesk, Inc.

kolesaa · ‎01-30-2014

Well, I understand what it means to file ... But what does it mean for a folder? What effect this property to a folder?

ihayesjr · ‎01-30-2014

See the Read, Modify, Delete table in the help link you supplied. If the files in the folder you are changning security on don't have any security on them, they will use the security of the folder.

Irvin Hayes Jr
Sr. Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog

Maxim-CADman77 · ‎01-30-2014

Sorry byt still not clear.
Won't those files have folder's security on them in both cases: without "foder security override" and with it?

... studying Autodesk Inventor since 2005 ...

ihayesjr · ‎01-30-2014

Let me try and clarify. A security override is just resetting the current security that the folder may have from a lifecycle state or from an higher level folder.

Therefore, with or without an override if the folder security is set and the files have no security, they will use the folders security setting.

A file, folder, or custom object that does not have an Access Control List defined uses role-based security. Refer to Managing Roles for more information.

Irvin Hayes Jr
Sr. Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog

ihayesjr · ‎01-30-2014

What also may help is the class I present at Autodesk University this year. Take a look at the handout to see if that helps you understand security.

Irvin Hayes Jr
Sr. Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog

kolesaa · ‎01-31-2014

Thank you for the answer Irvin

As I understand Override folder has the highest priority and will be inherited by all files and folders that are inside? A an override security objects within the folder will have priority overrated the parent folder?

ihayesjr · ‎01-31-2014

Folder A

----> Sub Folder 1

----> Sub Folder 2

Scenario 1

Folder A has security configured.
Sub Folder 1 & 2 have no security configured.
The Files within Folder A and the sub folders have no security configured.
Sub Folder 1 & 2 will inherit the security of Folder A
All Files will inherit the security of it's parent folder.

Scenario 2

Folder A has security configured.
Sub Folder 1 has no security configured.
Sub Folder 2 has an override security configured.
The Files under Folder A, Sub Folder 1 and the files under Sub Folder 1 will inherit the security of Folder A
Sub Folder 2 and the files under Sub Folder 2 will follow the security set on Sub Folder 2.

If the Administrator changes the security on Folder A

The Files under Folder A, Sub Folder 1 and the files under Sub Folder 1 will inherit the security changes of Folder A
Sub Folder 2 and the files under Sub Folder 2 will not inherit the change.

Irvin Hayes Jr
Sr. Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog

Maxim-CADman77 · ‎01-31-2014

files="" under="">
Sub Folder 2 will not inherit the change >

Will security for files under Sub Folder 2 be independent on which
option would be chosen for Propagate (Not apply/Append/Replace)?

... studying Autodesk Inventor since 2005 ...

ihayesjr · ‎01-31-2014

The propagte option only changes sub folder security not files. If the file's security is inherited from the folder, it will change with the propagation setting.

Irvin Hayes Jr
Sr. Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog

Maxim-CADman77 · ‎01-31-2014

Does this mean that situation when files is accessible while root folder
is not accessible is possible?

... studying Autodesk Inventor since 2005 ...

ihayesjr · ‎01-31-2014

A user may be able to find the file using search but they will not be able to download the file because they do not have access to the folder.

Irvin Hayes Jr
Sr. Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog

Jan_T · ‎07-25-2014

If a user can find a file with search he can download it easy using drag and drop.

bertvandersman · ‎11-25-2014

Folder ACL has little meaning when the folder's files have "State Security" 🙂

Jan_T · ‎11-25-2014

Make it 😞

We use now folder security without state security and override security for the "released" files using the Job Server.

smilinger · ‎11-26-2014

The big difference between override security and role based security is, override security will not be inherited by default. Override security settings is very useful in such scenario:

Say I have 3 groups: Administrators, Project Creators, Everyone

My folder structure is as follow:

$

---->Projects

---->Project 1

---->Project 2

...

For root folder I grant readonly permission for Everyone, full control for Administrators.
For Projects folder I grant full control for Everyone (or leave it blank).
After that For Projects folder I tick the "Security Override" checkbox, I change the permissions to grant readonly permission for Everyone, and full control for Project Creators and Administrators.
Now there are 2 sets of permissions on the Projects folder: role based security and override security.

Results:

Only administrators and assigned project creators can create, rename or delete project folder under Projects.
Normal users are not permitted to create, rename or delete folders under Projects.
New project folder created under Projects will inherit the role based security (full control for Everyone) from Projects.
Normal users now have full control under the new created project folder.

In such way, we can prevent users from messing up our vault folder structure.

cvdcage · ‎11-28-2014

A user may be able to find the file using search but they will not be able to download the file because they do not have access to the folder.

I wish this was the case. Users CAN download/get files in folders they have no permission to. This is exactly the problem we have. We are not able to use security based lifecycle changes on the files.

We had to create a custom add-in so users can't check-out released files because of this.

Maxim-CADman77 · ‎11-28-2014

Could you post step-by-step procedure following which each and every would be able to reproduce the issue you are referencing to?

... studying Autodesk Inventor since 2005 ...

Jan_T · ‎12-06-2014

We have the following structure (simplifeid):

Productgroup1

--PDF

--Engineering

Productgroup2

--PDF

--Engineering

Productgroup3

--PDF

--Engineering

etc.

Folder security:

Members of the Viewing1 group have read only access to Productgroup1\PDF, no access to Productgroup1\Engineering

Members of the Consuming1 group have read only access to Productgroup1\PDF and Productgroup1\Engineering

Members of the Engineering1 group have read access to the PDF folder and read/write access Productgroup1\Engineering

Viewing1+Consuming1+Engineering1 do not have access to Productgroup2 and Productgroup3 etc.

The pdf files in the PDF folders are created by the Job Server

The problem is that the lifecycle security will give access to a file according the settings in the lifecycle definitions. If we want to use 1 lifecycle for Inventor files everyone will get access to files in all folders. User cannot browse to the file but can do a search, find and download the files in the folders they do not have access to.

To use the Vault for the folder structure above + lifecycles we need to create multiple Vault Lifecycles for each productgroup what will be unpossible to manage.

Lifecycles should honoured the folder security. So when a state change the lifcycle security should only apply for security settings if they are not conflicting with the folder security.

Override Folder Security Settings

Override Folder Security Settings

Forums Links

Post to forums