Community

Limited Access File Structure

Limited Access File Structure

mtmarchant
Advocate Advocate
918 Views
12 Replies
Message 1 of 13

Limited Access File Structure

mtmarchant
Advocate
Advocate
‎10-30-2024 11:21 AM

Good day,

 

To preface, I am not a Vault expert. I just happen to be the most experienced person on our team, therefore a lot of Vault related tasks get delegated to me.

 

We are trying to create a permissions structure within our Vault that accomplishes a couple of things:

  1. We want to prohibit the moving of files and folders
  2. We want to prohibit the renaming of folders (preferable to limit file renaming as well, but not a necessity)

Simply put, this is our fundamental folder structure and desired permissions:

mtmarchant_0-1730311832228.png

I have very limited experience working with Vault groups and roles. I have been doing some testing this morning:

  1. I created a test Vault account with a spare license to try out these changes
  2. I created two new roles, for simplicity's sake we can call these:
    1. General Access Role - This role is a copy of an existing role that essentially allows full functionality of Vault (read/write files and folders, rename files/folders, move files/folders, etc.)
    2. Limited Access Role - This role is essentially the same as the General Access role, with the exception that the File Rename, File Move, and Folder Rename permissions have been omitted.
  3. I created two new groups, for simplicity's sake we can call these:
    1. General Access Group
    2. Limited Access Group
  4. I then set the Object-based security permissions for the "Limited Access File and Folder Structure" to:
    1. General Access Group - Read = Allow, Modify = Blank, Delete = Blank, Download = Allow
    2. Limited Access Group - Read = Allow, Modify = Allow, Delete = Blank, Download = Allow

I then tested these permissions out with the test account, and found that I could still rename folders, rename files, and move files/folders.

 

I am a bit stumped, and feel like I could easily go in the wrong direction, and am looking for some potential aid. It is very possible that without diligent research I could cause more harm than good, and if it is necessary to get a more experienced individual contracted to help, then I can push for that with my superiors.

I appreciate any input!

Mack Marchant - Project Engineer
0 Likes
Like
Report
Accepted solutions (1)
Solution 1
919 Views
12 Replies
Tags
Replies (12)
Message 2 of 13

ihayesjr
Community Manager
Community Manager
‎10-30-2024 11:50 AM

@mtmarchant 

What out of the box groups did you add this test user to?




Irvin Hayes Jr
Principal Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog
0 Likes
Like
Report
Message 3 of 13

ihayesjr
Community Manager
Community Manager
‎10-30-2024 11:59 AM

@mtmarchant 

I also recommend that you review this class.

Security Awakens: Defending Against the First Order | Autodesk University




Irvin Hayes Jr
Principal Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog
0 Likes
Like
Report
Message 4 of 13

ihayesjr
Community Manager
Community Manager
‎10-30-2024 12:01 PM

@mtmarchant 

Another note: assign the user the out-of-the-box Document Editor (Level 1) group.

This group does not allow users to rename a file or folder.




Irvin Hayes Jr
Principal Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog
0 Likes
Like
Report
Message 5 of 13

mtmarchant
Advocate
Advocate
in reply to ihayesjr
‎10-30-2024 12:07 PM
I'm not currently using any out of the box groups or roles.
Mack Marchant - Project Engineer
0 Likes
Like
Report
Message 6 of 13

ihayesjr
Community Manager
Community Manager
in reply to mtmarchant
‎10-30-2024 12:09 PM

I recommend that you start with the Out-of-box roles and start with testing the File and Folder rename restrictions.

 




Irvin Hayes Jr
Principal Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog
0 Likes
Like
Report
Message 7 of 13

mtmarchant
Advocate
Advocate
in reply to ihayesjr
‎10-31-2024 06:01 AM

I've tested out the Document Editor (Level 1) role, and it is prohibiting file and folder renames. An interesting interaction is occurring with the file rename, however. I get the standard message saying "you do not have permission to complete this task. contact your administrator", however, I'm also getting this message:

mtmarchant_0-1730379656190.png


Additionally, the file is then being checked out by the user. This appears to happen automatically after a file rename attempt.

Mack Marchant - Project Engineer
0 Likes
Like
Report
Message 8 of 13

ihayesjr
Community Manager
Community Manager
in reply to mtmarchant
‎10-31-2024 06:08 AM

@mtmarchant 

Thank you, I noticed the same error and informed the development team to address this.




Irvin Hayes Jr
Principal Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog
0 Likes
Like
Report
Message 9 of 13

daniel_ramirez_NIPG
Explorer
Explorer
‎10-31-2024 06:58 AM

@mtmarchant thank you for sharing. 

I notice in your initial post description that for the groups the permissions were set contrary to the intent you described. In my humble opinion (I'm not a vault expert nor I have enough experience) they should have been as follows:

  1. General Access Group - Read = Allow, Modify = Allow, Delete = Blank, Download = Allow
  2. Limited Access Group - Read = Allow, Modify = Deny/Blank, Delete = Blank, Download = Allow

I'm not very sure the exact differences between "Blank" or "Deny", if anybody does I believe that it would be beneficial to pinpoint it here for the use-case.

Thanks,

Daniel Ramirez
CAD Manager

0 Likes
Like
Report
Message 10 of 13

ihayesjr
Community Manager
Community Manager
in reply to daniel_ramirez_NIPG
‎10-31-2024 07:05 AM

@daniel_ramirez_NIPG 

Take a look at this Help topic which explains the "Blank" or "None" works.

Vault 2025 Help | Access Control Lists (acls) | Autodesk




Irvin Hayes Jr
Principal Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog
0 Likes
Like
Report
Message 11 of 13

mtmarchant
Advocate
Advocate
in reply to ihayesjr
‎10-31-2024 08:37 AM

OK, so I have managed to get one test group and user working with the correct behavior:

New files and folders can be created under the Limited Access folder structure.
These files and folders cannot be renamed, and they cannot be moved.

However, I need this user to have access to the General Access folder structure to be able to create new files and folders, and rename and move those files and folders.

When I go to add this user to the General Access group, it allows them to rename and move files and folders in the Limited Access folder structure. These are what the Object-Based Security settings look like for the Limited Access folder structure:

mtmarchant_0-1730388794786.png


If I remove the user from the General Access group, it works just fine. But when they are in that group, even though the Modify is implicitly denied, it allows modification (rename files/folders, move files/folders), though the Limited Access group does not include these permissions (Limited Access group contains only the Document Editor (Level 1) and Document Manager (Level 1) roles).

I'm essentially just wanting to limit files and folders being renamed, and prohibit these files from being moved once they have been checked into the Limited Access folder structure. Users still need read/write access to download these files and check them out and modify as necessary.



Mack Marchant - Project Engineer
0 Likes
Like
Report
Message 12 of 13

ihayesjr
Community Manager
Community Manager
in reply to mtmarchant
‎10-31-2024 10:39 AM
Accepted solution

You will not be able to restrict them from moving and renaming files and folders under a specific structure and not others.

The Roles are across all of Vault, not inside of the structure.




Irvin Hayes Jr
Principal Product Manager
Autodesk, Inc.
Vault - Under the Hood Blog
0 Likes
Like
Report
Message 13 of 13

mtmarchant
Advocate
Advocate
in reply to ihayesjr
‎10-31-2024 10:42 AM
Well, that is unfortunate news to hear, considering the workflow we were going for. But, I'm glad I made this forum post, otherwise I would have continued to try to twist and turn to make this workflow work.

Thank you, Irvin, for helping me out with this.
Mack Marchant - Project Engineer
0 Likes
Like
Report
Report a website issue