Understanding how security impacts move operations on folders and objects
This topic describes the security rules when moving folders and objects
Basic rules
Always keep in mind the following basic rules:
- When no read access is specified, everybody can read the folder
- When no write access is specified, everybody can update the folder
- The read security settings should always include the write security settings. So, if no write access is specified, everybody should have read access as well.
Moving a folder
Extra rule when moving a folder...
- the read access settings of the sub folder should be the same or more restrict than the read access settings of the new parent folder
The following table contains some examples to illustrate that. The table contains the following combinations of read and write access:
- No read access and no write access specified
- No read access specified, but only usergroup A has write access
- Usergroups A and B have read access, but only usergroup A has write access
- Usergroups A and B have read access, but only usergroup B has write access
- Only usergroup A has read and write access
| Sub folder/New parent | 1 (""/"") | 2 (""/A) | 3 (A, B/A) | 4 (A, B/B) | 5 (A/A) |
|---|---|---|---|---|---|
| 1 (""/"") | Allowed | Allowed | Read access is conflicting | Read access is conflicting | Read access is conflicting |
| 2 (""/A) | Allowed | Allowed | Read access is conflicting | Read access is conflicting | Read access is conflicting |
| 3 (A, B/A) | Allowed | Allowed | Allowed | Allowed | Read access is conflicting |
| 4 (A, B/B) | Allowed | Allowed | Allowed | Allowed | Read access is conflicting |
| 5 (A/A) | Allowed | Allowed | Allowed | Allowed | Allowed |
Moving an object to another parent folder
Extra rules when moving an object...
- The read access settings of the old parent folder should be the same or more restrict than the read access settings of the new parent folder.
- The write security of the new parent folder should be the same or more restrict than the write settings of the old parent folder. This check can be overruled by an administrator role.
The following table contains some examples to illustrate that. The table contains the following combinations of read and write access:
- No read access and no write access specified
- No read access specified, but only usergroup A has write access
- Usergroups A and B have read access, but only usergroup A has write access
- Usergroups A and B have read access, but only usergroup B has write access
- Only usergroup A has read and write access
| Old folder/New parent | 1 (""/"") | 2 (""/A) | 3 (A, B/A) | 4 (A, B/B) | 5 (A/A) |
|---|---|---|---|---|---|
| 1 (""/"") | Allowed | Write access is conflicting | Read access is conflicting | Read access is conflicting | Read access is conflicting |
| 2 (""/A) | Allowed | Allowed | Read access is conflicting | Read access is conflicting | Read access is conflicting |
| 3 (A, B/A) | Allowed | Allowed | Allowed | Write access is conflicting | Read access is conflicting |
| 4 (A, B/B) | Allowed | Write access is conflicting | Write access is conflicting | Allowed | Read access is conflicting |
| 5 (A/A) | Allowed | Allowed | Allowed | Write access is conflicting | Allowed |