topic Re: Limited Access File Structure in Vault Forum

Limited Access File Structure

mtmarchant — Wed, 30 Oct 2024 18:21:54 GMT

Good day,

To preface, I am not a Vault expert. I just happen to be the most experienced person on our team, therefore a lot of Vault related tasks get delegated to me.

We are trying to create a permissions structure within our Vault that accomplishes a couple of things:

We want to prohibit the moving of files and folders
We want to prohibit the renaming of folders (preferable to limit file renaming as well, but not a necessity)

Simply put, this is our fundamental folder structure and desired permissions:

I have very limited experience working with Vault groups and roles. I have been doing some testing this morning:

I created a test Vault account with a spare license to try out these changes
I created two new roles, for simplicity's sake we can call these:
1. General Access Role - This role is a copy of an existing role that essentially allows full functionality of Vault (read/write files and folders, rename files/folders, move files/folders, etc.)
2. Limited Access Role - This role is essentially the same as the General Access role, with the exception that the File Rename, File Move, and Folder Rename permissions have been omitted.
I created two new groups, for simplicity's sake we can call these:
1. General Access Group
2. Limited Access Group
I then set the Object-based security permissions for the "Limited Access File and Folder Structure" to:
1. General Access Group - Read = Allow, Modify = Blank, Delete = Blank, Download = Allow
2. Limited Access Group - Read = Allow, Modify = Allow, Delete = Blank, Download = Allow

I then tested these permissions out with the test account, and found that I could still rename folders, rename files, and move files/folders.

I am a bit stumped, and feel like I could easily go in the wrong direction, and am looking for some potential aid. It is very possible that without diligent research I could cause more harm than good, and if it is necessary to get a more experienced individual contracted to help, then I can push for that with my superiors.

I appreciate any input!

Re: Limited Access File Structure

ihayesjr — Wed, 30 Oct 2024 18:50:37 GMT

@mtmarchant

What out of the box groups did you add this test user to?

Re: Limited Access File Structure

ihayesjr — Wed, 30 Oct 2024 18:59:35 GMT

@mtmarchant

I also recommend that you review this class.

Security Awakens: Defending Against the First Order | Autodesk University

Re: Limited Access File Structure

ihayesjr — Wed, 30 Oct 2024 19:01:28 GMT

@mtmarchant

Another note: assign the user the out-of-the-box Document Editor (Level 1) group.

This group does not allow users to rename a file or folder.

Re: Limited Access File Structure

mtmarchant — Wed, 30 Oct 2024 19:07:52 GMT

I'm not currently using any out of the box groups or roles.

Re: Limited Access File Structure

ihayesjr — Wed, 30 Oct 2024 19:09:44 GMT

I recommend that you start with the Out-of-box roles and start with testing the File and Folder rename restrictions.

Re: Limited Access File Structure

mtmarchant — Thu, 31 Oct 2024 13:01:56 GMT

I've tested out the Document Editor (Level 1) role, and it is prohibiting file and folder renames. An interesting interaction is occurring with the file rename, however. I get the standard message saying "you do not have permission to complete this task. contact your administrator", however, I'm also getting this message:

Additionally, the file is then being checked out by the user. This appears to happen automatically after a file rename attempt.

Re: Limited Access File Structure

ihayesjr — Thu, 31 Oct 2024 13:08:36 GMT

@mtmarchant

Thank you, I noticed the same error and informed the development team to address this.

Re: Limited Access File Structure

daniel_ramirez_NIPG — Thu, 31 Oct 2024 13:58:52 GMT

@mtmarchant thank you for sharing.

I notice in your initial post description that for the groups the permissions were set contrary to the intent you described. In my humble opinion (I'm not a vault expert nor I have enough experience) they should have been as follows:

General Access Group - Read = Allow, Modify = Allow, Delete = Blank, Download = Allow
Limited Access Group - Read = Allow, Modify = Deny/Blank, Delete = Blank, Download = Allow

I'm not very sure the exact differences between "Blank" or "Deny", if anybody does I believe that it would be beneficial to pinpoint it here for the use-case.

Thanks,

Daniel Ramirez
CAD Manager

Re: Limited Access File Structure

ihayesjr — Thu, 31 Oct 2024 14:05:16 GMT

@daniel_ramirez_NIPG

Take a look at this Help topic which explains the "Blank" or "None" works.

Vault 2025 Help | Access Control Lists (acls) | Autodesk

Re: Limited Access File Structure

mtmarchant — Thu, 31 Oct 2024 15:37:39 GMT

OK, so I have managed to get one test group and user working with the correct behavior:

New files and folders can be created under the Limited Access folder structure.
These files and folders cannot be renamed, and they cannot be moved.

However, I need this user to have access to the General Access folder structure to be able to create new files and folders, and rename and move those files and folders.

When I go to add this user to the General Access group, it allows them to rename and move files and folders in the Limited Access folder structure. These are what the Object-Based Security settings look like for the Limited Access folder structure:

If I remove the user from the General Access group, it works just fine. But when they are in that group, even though the Modify is implicitly denied, it allows modification (rename files/folders, move files/folders), though the Limited Access group does not include these permissions (Limited Access group contains only the Document Editor (Level 1) and Document Manager (Level 1) roles).

I'm essentially just wanting to limit files and folders being renamed, and prohibit these files from being moved once they have been checked into the Limited Access folder structure. Users still need read/write access to download these files and check them out and modify as necessary.

Re: Limited Access File Structure

ihayesjr — Thu, 31 Oct 2024 17:39:23 GMT

You will not be able to restrict them from moving and renaming files and folders under a specific structure and not others.

The Roles are across all of Vault, not inside of the structure.

Re: Limited Access File Structure

mtmarchant — Thu, 31 Oct 2024 17:42:54 GMT

Well, that is unfortunate news to hear, considering the workflow we were going for. But, I'm glad I made this forum post, otherwise I would have continued to try to twist and turn to make this workflow work.

Thank you, Irvin, for helping me out with this.