This is an old revision of the document!


In order to manage efficiently the access rights for the file/folders stord in Lena, it is very helpful to understand the way they work.

Some specific users, the Owners and the Managers, have the ability to manage the access rights of the files/folders. Each file/folder:

  • has one or several owners;
  • can have one or several managers.

NB

Be aware of the distinction between permissions and access rights.
  • Permissions: are related to users, they grant them the rights to use specific functionalities (e.g., the ability to create a sharing link, to keep files in sync on one's computer for offline usage… see Manage users and groupes).
  • Access rights: are related to a file/folder and define which users or group of users can see/read/modify/delete this file/folder. This article is about them.

Owner of a file/folder

The owner of a file/folder “owns” it, and as such can:

The ownership notion spreads from the “higher level” directories to the “lower level” ones - it would not be very useful to own a folder but not its sub-folders and the files located in them.

For example, say we have 2 directories at the root of a drive (dir A and dir B) and that we give them both a different owner (Alice for dir A and Bob for dir B), all the sub-folders and files of dir A will have Alice as owner and all those under dir B will be owned by Bob.

Changing the ownership of a folder stop the propagation to its sub-folders/files. With the same example, if Alice decided to transfer the ownership of dir A.1 to Bob she would also lose the ownership of the file file A.1.1 which is located in dir A.1 (Bob's ownership of dir A.1 spreads to file A.1.1).

Access Management to file/folders

Access rights to a file/folder are managed by its Owners, and possibly by its Managers. A Manager is a user to whom a file Owner has delegated access rights management. A Manager can then, in the same way as an Owner, define access rights to this file/folder for all users except for himself (only the Owner of the file/folder can define the Manager's access rights).

Different access rights can be set (from the least to the most permissive):

  • Read : can be read but not edited (for a folder it translates into being able to see its content).
  • Edit : can be edited but not deleted (for a folder it translates into being able to rename or add elements to it but not being able to delete them).
  • Do everything : can be edited and deleted.

In the same way as ownership, access rights spread from higher to lower level folders. If we take a folder at the root of a drive dir A and grant read rights to Alice and Bob, these drives will spread to the sub-folders and files found under dir A.

Just as ownership, changing access rights for a user (or a group of users) at a specific level will stop the propagation of rights coming from higher levels. The newly defined access rights will in turn spread to the lower levels.

Following with our example, if we changed Alice's rights on the folder dir A.1 from read to edit, they would replace all the existing access rights coming from the parent directory. Bob's read right will therefore be deleted (it is possible to maintain it, see Access rights management).

Nota bene

More than one definition of access rights to a file/folder can exist for a given user if he belongs to more than one group of users. Priority rules among access rights are as follows:
  • Access rights defined directly on the user prevail over those defined to a group the same user belongs to (user-defined rules are more specific).
  • Among access rights granted granted by different, the most permissive prevail over the least permissive ones. For example, if a user belongs to a group giving him access in read only mode to an element and to another group giving him edit right, the edit right would prevail as it is more permissive.

Visualizing access rights

Access rules for an item may be multiple (those coming from parents folder, defined for groups to which the user belongs to or defined for the user himself), the resulting access rights may not be obvious. To avoid any confusion, Lena always displays all the resulting access rights and you just need to read them. For example:

Here, for the AF directory:

  • The Direction group has all the rights because of the rule defined at the root of the drive Tests (2 levels above)
  • The Commercial group can modify the folder's content because of the rule defined on the folder AF itself, which prevails on the read right defined on the parent directory (on the folder shared).
  • The user “Rémi” has all the rights on this folder because of the user-defined rule defined for him on this folder (which prevails over any other rules defined for a group to which he belongs).