You are viewing limited content. For full access, please sign in.

Question

Question

Best Practices - deny or Don't Inheirit?

Laserfiche Version 7 Administration
Updated December 18, 2013
asked on December 17, 2013

 Hello!

 

I have something that may be more of a stylistic opinion question.

 

One of my departments has a repository with 50 or so folders in the root.

 

Each of these folders has Entry Access rights applied to a different departmental group.

 

At the root, there are a few other groups which have access to the root, all subfolders and documents.

 

ROOT

---Folder1

---Folder2

---Folder3

---etc.

 

where Department1 has access to Folder1, Department2 has access to Folder2, and SpecialGroup has access to ROOT and everything below.

 

But... now they want to make an exception with ONE folder.  For Folder3 they don't want some of the people (but not All) from the root to have access to it.

 

So, I see a few options:

  1. Uncheck inheritance for Folder 3, then add only the people from Department3 and the other allowed ROOT people to have access to it.  This is fine except when adding other groups to the ROOT access we would need to remember to update the access on Folder3.
  2. Deny those certain people on Folder3.  This seems to be better than #1, since we don't have to remember to do anything in the future, but isn't deny generally against Best Practices?
  3. Remove the rights from the ROOT and apply them to Folder1, Folder2, etc. individually.  This seems like a mess...

 

So, what are your thoughts?  If you had this case, what would you do?

 

 

Thanks in advance!

0 0

Answer

APPROVED ANSWER SELECTED ANSWER
replied on December 17, 2013

I think you're best off going with option #2.  While our best practices are to avoid using "deny" if you can do what you want with "allow" or with inheritance/scope, this is exactly the situation in which a "deny" is appropriate.  Unchecking inheritance is a worse practice (so to speak), since it makes troubleshooting and maintenance a real pain, and while option #3 is technically feasible, it's annoying to maintain in a way that's easily avoidable.

 

So yes: I'd go with using "deny" on the folder in this situation, since it's exactly why we offer that option in the first place.

 

Great question!

5 0
replied on December 18, 2013

Thanks - this looks like it will work out well.  It should be the easiest way to manage this in the future.

0 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...