5. Applying Permissions Through Inheritance
In the file and folder hierarchy used by Windows 8, the root folder
of a local disk and the %UserProfile% folder are the parent folders of
all the files and folders they contain by default. Anytime you add a
resource, it inherits the permissions of the local disk’s root folder
or the user’s profile folder. You can change this behavior by modifying
a folder’s inheritance settings so that it no longer inherits
permissions from its parent folder. This step creates a new parent
folder, and any subfolders or files you add will then inherit the
permissions of this folder.
Inheritance is automatic, and inherited permissions are assigned
when a file or folder is created. If you do not want a file or folder
to have the same permissions as a parent, you have several choices:
-
Stop inheriting permissions from the parent folder, and then either
convert inherited permissions to explicit permissions or remove all
inherited permissions. -
Access the parent folder, and then configure the permissions for the files and folders it contains. -
Try to override an inherited permission by selecting the opposite permission. In most cases, Deny overrides Allow.
Inherited permissions
are shaded (unavailable) on the Security tab of a file or folder’s
Properties dialog box. Also, when you assign new permissions to a
folder, the permissions propagate to the subfolders and files contained
in that folder and either supplement or replace existing permissions.
This propagation lets you grant additional users and groups access to a
folder’s resources or to further restrict access to a folder’s
resources independently of a parent folder.
To better understand inheritance, consider the following examples:
-
On drive C, you create a folder named Data and then create a
subfolder named CurrentProjects. By default, Data inherits the
permissions of the C:\ folder, and these permissions are in turn
inherited by the CurrentProjects folder. Any files you add to the C:\,
C:\Data, and C:\Data\CurrentProjects folders have the same
permissions—those set for or inherited from the C:\ folder. -
On drive C, you create a folder named Docs and then create a
subfolder named Working. You disable inheritance on the Working folder
and then remove the inherited permissions of the parent, C:\. Any files
you add to the C:\Docs\Working folder inherit the permissions of the
C:\Docs folder and no other. -
On drive C, you create a folder named Backup and then create a
subfolder named Sales. You add permissions to the Sales folder that
grant access to members of the Sales group. Any files added to the
C:\Backup\Sales folder inherit the permissions of the C:\ folder and
also have additional access permissions for members of the Sales group.
Note
REAL WORLD Many new
administrators wonder what the advantage of inheritance is and why it
is used. Although inheritance occasionally seems like more trouble than
it’s worth, inheritance enables you to very efficiently manage
permissions. Without inheritance, you’d have to configure permissions
on every file and folder you create. If you wanted to change
permissions later, you’d have to go through all your files and folders
again. With inheritance, all new files and folders automatically
inherit a set of permissions. If you need to change permissions, you
can make the changes in a top-level or parent folder, and the changes
can be automatically applied to all subfolders and files in that
folder. In this way, a single permission set can be applied to many
files and folders without editing the security of individual files and
folders.
Viewing Inherited Permissions
To view the inherited permissions on a file or folder, press and
hold or right-click the file or folder in File Explorer, and then tap
or click Properties. On the Security tab of the Properties dialog box,
tap or click Advanced to display the Advanced Security Settings dialog
box, shown earlier in Figure 3.
The Access column lists the current permissions assigned to the
resource. If the permission is inherited, the Inherited From column
shows the parent folder. If the permission is inherited by other
resources, the Applies To column shows the types of resources that
inherit the permission.
When you disable inheritance in a file or folder’s security settings, the file or folder stops inheriting permissions
from parent folders. You can then elect to either convert inherited
permissions to explicit permissions on the file or folder, which would
make the permissions editable, or remove all inherited permissions from
the file or folder.
If you want a file or folder to stop inheriting permissions from a parent folder, follow these steps:
-
In File Explorer, press and hold or right-click the file or folder,
and then tap or click Properties. On the Security tab, tap or click
Advanced. This opens the Advanced Security Settings dialog box with the
Permissions tab selected by default. -
On the Permissions tab, you’ll see a Disable Inheritance button if
inheritance currently is enabled. Tap or click Disable Inheritance. -
As shown in Figure 6,
you can now either convert the inherited permissions to explicit
permissions or remove all inherited permissions and apply only the
permissions that you explicitly set on the folder or file.
Tip
If you remove the inherited permissions and no other permissions are
assigned, everyone but the owner of the resource is denied access. This
effectively locks out everyone except the owner of a folder or file.
However, administrators still have the right to take ownership of the
resource regardless of the permissions. Thus, if an administrator is
locked out of a file or a folder and truly needs access, she can take
ownership and then have unrestricted access.
Restoring Inherited Permissions
Over time, the permissions on files and subfolders can become so
dramatically different from those of a parent folder that it is nearly
impossible to effectively manage access. To make managing file and
folder access easier, you might want to take the drastic step of
removing all existing permissions on all resources contained in a
parent folder and replacing them with permissions inherited from that
parent folder. In this way, permissions set on the folder you are
working with (the parent folder) replace the permissions set on every file and subfolder contained within this parent folder.
To replace existing permissions with the inherited permissions of a parent folder, follow these steps:
-
In File Explorer, press and hold or right-click the folder, and then
tap or click Properties. On the Security tab, tap or click Advanced. -
On the Permissions tab, select Replace All Child Object Permissions
With Inheritable Permissions From This Object, and then tap or click OK. -
As shown in Figure 7,
you see a prompt explaining that this action will replace all
explicitly defined permissions and enable propagation of inheritable
permissions. Tap or click Yes.
However, you don’t have to completely replace existing permissions
to start inheriting permissions from a parent folder. If a file or
folder was configured to stop inheriting permissions from a parent
folder, you can re-enable inheritance to have the file or folder include the inherited permissions from a parent folder. To do this, follow these steps:
-
In File Explorer, press and hold or right-click the file or folder
that should include inherited permissions, and then tap or click
Properties. On the Security tab, tap or click Advanced. -
On the Permissions tab, tap or click Enable Inheritance, and then
tap or click OK. Note that the Enable Inheritance button is available
only if permission inheritance currently is disabled.
|
