Advanced Server offers a set of standard permissions that you can set on files and directories in Advanced Server volumes. These standard permissions offer combinations of specific types of access called individual permissions.
Standard permissions for directories and files and their meanings are shown in the following tables, along with descriptions of each standard permission.
In the first column of the first table (Directory Permissions), the first set of permissions applies to the directory itself; the second set of permissions applies to the files that are present in the directory when you assign the permissions (if the Replace Permissions on existing files option is enabled) and to all of the files that will be created in this directory after the permissions are set.
Standard Permissions for Advanced Server Directories and Files
|
Permissions |
Meaning |
|
Directory: | |
|
No Access (None) (None) |
User cannot access the directory in any way, even if the user is a member of a group that has been granted access to the directory. |
|
List (RX) (Not Specified) |
User can only list the files and subdirectories in this directory and change to a subdirectory of this directory. User cannot access files in this directory. |
|
Read (RX) (RX) |
User can read the contents of files in this directory and run applications in the directory. |
|
Add (WX) (Not Specified) |
User can add files to the directory but cannot read the contents of current files, change them, or list files. |
|
Add & Read (RWX) (RX) |
User can add files to the directory and read current files but cannot change files. |
|
Change (RWXD) (RWXD) |
User can read and add files and change the contents of current files. |
|
Full Control (All) (All) |
User can read and change files, add new ones, change permissions for the directory and its files, and take ownership of the directory and its files. |
|
File: | |
|
No Access |
User cannot access the file in any way, even if the user is a member of a group that has been granted access to the file. |
|
Read (RX) |
User can read the contents of the file and run it if it is an application. |
|
Change (RWXD) |
User can read, modify, and delete the file. If the file is an application, the user can run it. |
|
Full Control (All) |
User can read, modify, delete, set permissions for, and take ownership of the file. If the file is an application, user can run it. |
Individual permissions and their abbreviations are as follows:
|
Read (R) |
Write (W) |
Execute (X) |
|
Delete (D) |
Change Permissions (P) |
Take Ownership (O) |
When you set a standard permission, the abbreviations for the individual permissions appear beside the standard permission. For example, when you set the standard permission Read on a file, the abbreviation RX appears beside it.
In addition to setting standard permissions, you can set special access permissions. Special access permissions allow you to define a custom set of individual permissions for directories and files. For information about special access permissions, see Setting Customized “Special Access” Permissions.
To work effectively with Advanced Server security, keep the following points in mind when setting file permissions:
The No Access permission overrides all other permissions. However, you can grant a group access to a file while using the No Access permission to prevent access to a subgroup or individual who is a member of that group. For example, suppose Jane is a member of Coworkers and Coworkers has the Change permission for a file. If you then set the No Access permission for Jane for the file, Jane will be unable to use the file even though she is a member of a group that can access the file.
Note that you do not have to assign No Access to every user or group that you want to prevent from accessing a file or directory. You can prevent a user from accessing a file or directory just by not granting the user (or any groups the user is a member of) any permissions for it.
By default, new files and new subdirectories inherit permissions from the directory in which they are created. For example, if you add a file to a directory where the Coworkers group has Change permission and the Finance group has Read permission, those same permissions will apply to the file.
When you change the permissions on an existing directory, you choose whether to apply the changes to all files and subdirectories in the directory.
The user who creates a file or directory is the owner of that file or directory. The owner can control access to the file or directory by changing the permissions set on it.
The easiest way to administer security is by setting permissions for groups rather than individual users. Typically, a user needs access to many files. If the user is a member of a group that has access to the files, you can end the user’s access by removing the user from the group rather than changing the permissions on each of the files. Setting permissions for an individual user does not override the access granted to the user through groups to which the user belongs.
Every file and directory on a volume has an owner. The owner controls how permissions are set on the file or directory and can grant permissions to others.
When a file or directory is created, the person creating the file or directory automatically becomes its owner. It is expected that administrators will create most files on network servers, such as when they install applications on the server. Therefore, most files on a server will be owned by administrators, except for data files created by users and files in users’ home directories.
Ownership can be transferred in the following ways:
The current owner can grant the Take Ownership permission to other users, allowing those users to take ownership at any time.
An administrator can take ownership of any file on the computer. For example, if an employee leaves the company suddenly, the administrator can take control of the employee’s files.
Note
Although an administrator can take ownership, the administrator cannot transfer ownership to others. This restriction keeps the administrator accountable.
For more information, see "To take ownership of files or directories" in Windows NT Help.
You also can take file ownership by using the net perms command. For more information, type net help perms at the Advanced Server command prompt.
