Creating advanced security settings
NTFS
permissions can get confusing because of the way they work. What you
just saw was straightforward information—apply a permission, and it
takes effect. However, as you investigate further, additional
complexity becomes apparent.
This complexity is simplified through the use of advanced security
settings. By viewing these settings, you gain insight into the real
state of permissions for the selected file or folder. In the main
section of the window, you see that each permission entry is
individually delineated, showing you exactly which permissions are assigned to specific users and groups (called principals).
To view or change the advanced security settings for a file or folder, complete the following steps:
-
On the Properties page shown in Figure 14, tap or click the Advanced button to open the Advanced Security Settings window shown in Figure 16.
Each permission entry is individually listed, showing you exactly which permissions have been assigned to which users and groups, called principals. To the right, you can see the reason the principals are granted the permissions they carry. These permissions have been inherited from C:\. The folder you’re working with in Figure 16 is C:\Shared-files. By default, folders
in Windows 8 inherit the permissions of their parent folder. This
avoids the need for an administrator to specify permissions for each
folder in the system manually.
However, you might want to have permissions change on
folders deeper in the hierarchy. Fortunately, that’s not difficult, and
the result is that the selected folder will have permissions that are
both inherited from the parent folder and set directly. In Figure 17, you can see that the folder now has additional permissions, but these permissions were not inherited.
To add a permission directly to the selected folder from the
Advanced Security Settings, tap or click the Add button. This opens the
Permission Entry window shown in Figure 18.
-
In the Permissions Entry dialog box, provide the Principal name.
This is the name of the user or group to which you want to apply new or additional permissions. In Figure 18,
the administrator has already selected the group named Authenticated
Users. To specify a different user or group, tap or click Select A
Principal and make a selection.
-
In the Type drop-down list, select either Allow or Deny as the permission type.
-
Make a selection from the Applies To drop-down list.
By default, Windows applies your new permissions settings to the current folder and to all subfolders and files according to the default inheritance
rules in Windows 8. You can override this behavior by choosing a
different entry from the Applies To drop-down list. Table 2 lists the available options and the impact of your selection.
Table 2. Default permissions impact
|
Apply permissions to |
Apply to current folder ONLY |
Apply to subfolders in current folder |
Apply to files in current folder |
Apply to all subfolders |
Apply to files in all subfolders |
|---|
|
This folder only |
x | | | | |
|
The folder, subfolders, and files |
x |
x |
x |
x |
x |
|
This folder and subfolders |
x |
x | |
x | |
|
This folder and files |
x | |
x | |
x |
|
Subfolders and files only | |
x |
x |
x |
x |
|
Subfolders only | |
x | |
x | |
|
Files only | | |
x | |
x |
Under Basic Permissions, you can choose different basic permissions for the selected principal.
-
If you’d like to see additional available permissions, tap or click Show Advanced Permissions.
Table 3 describes the available advanced permissions.
Table 3. Advanced NTFS permissions
|
Folder permission name |
Description (folder) |
File permission name |
Description (file) |
|---|
|
Traverse Folder |
Allows the user to browse to folders beneath the current one |
Execute File |
Allows the user to execute the file |
|
List Folder |
Allows the user to view file names and subfolder names |
Read Data |
Allows the user to read data from a file |
|
Read Attributes | Allows the user to view the attributes of a file or folder (such as Read-Only, Hidden) |
|
Read Extended Attributes | Allows the user to view the extended attributes of a file or folder; extended attributes may be assigned by an application |
|
Create Files |
Allows the user to create files inside the folder |
Write Data |
Allows the user to write data to a file |
|
Create Folders |
Allows the user to create new folders within a folder |
Append Data |
Allows the user to add data to the end of a file but not to change the existing content |
|
Write Attributes | Allows the user to change the attributes of a file or folder (such as Read-Only, Hidden) |
|
Write Extended Attributes | Allows the user to change the extended attributes of a file or folder; extended attributes may be assigned by an application |
|
Delete Subfolders and Files | Allows the user to delete subfolders and files; works even if the user has not been assigned the Delete permission |
|
Delete | Allows the user to delete a file or a folder |
|
Read Permissions | Allows the user to read the permissions for a file or folder |
|
Change Permissions | Allows the user to change the permissions on a file or folder |
|
Take Ownership | Allows the user to take ownership of a file or folder without regard to other permissions that might already be assigned |
-
Select the Only Apply These Permissions To Objects And/Or Containers
Within This Container check box to limit the containers to which new
permissions apply.
Table 4 lists the permissions impact when this check box is selected.
Table 4. Permissions impact when Only Apply These Permissions To Objects And/Or Containers Within This Container is selected
|
Apply permissions to |
Apply to current folder ONLY |
Apply to subfolders in current folder |
Apply to files in current folder |
Apply to all subfolders |
Apply to files in all subfolders |
|---|
|
This folder only |
x | | | | |
|
The folder, subfolders, and files |
x |
x |
x | | |
|
This folder and subfolders |
x |
x | | | |
|
This folder and files |
x | |
x | | |
|
Subfolders and files only | |
x |
x | | |
|
Subfolders only | |
x | | | |
|
Files only | | |
x | |
|
Note
FILE AND FOLDER PERMISSIONS CLARIFIED
There are different permission sets for folders and files, although they also share many advanced permissions. Table 3,
in which there are different entries in the Folder and File columns,
explains the different kinds of permissions. When a permission is shared
between files and folders, there is just a single description for the
permission entry. Further, although each description uses the word
“Allow” to indicate that a user is allowed to perform a certain
function, bear in mind that the permission can also be denied.
