Understanding folder permissions

Folder permissions govern which users and group can perform various actions on a folder or its contents.

There are two main types of permissions:

  • Permit. Permit permissions grant users or groups access to the folder on which the permission is applied.
  • Deny. Deny permissions are used when you want to specifically deny a user or group permission to a folder. Deny permissions take precendence over all other permissions, so a deny permission guarantees that a user cannot perform the action indicated in the permission.

For each permission, you can also indicate which actions you want to permit or deny:

  • Read. This option refers to downloading files from the server.
  • List. This option refers to retrieving a folder listing, which shows the files in the folder, from the server.
  • Write. This option refers to uploading files to the server.
  • Delete. This option refers to deleting files or folders from the server.
  • Rename. This option refers to changing the name of a file or folder already on the server.
  • Create folder. This option refers to creating a new folder under the folder where the permission is set.

Finally, you can also choose to have a permission apply only to files that match a specified file mask. To match all files, enter *.

For each permission, you can choose to have the option propagate down to all subfolders of the folder where the permission is set by selecting Include subfolders.

User and group permissions are aggregated. WS_FTP Server evaluates permit permissions first, then deny permissions to determine the actual permissions granted.

For example, if a user has the following permissions set

  • Permit Read and List permission propagated from a parent folder
  • Permit Write permission set on the current folder
  • Deny Read permission set on the current folder

he or she can List and Write on the current folder.

Permissions and administrators

By default, host and system administrators are granted full permissions to all folders on the host to which they belong. However, host and system administrators are bound by deny permissions. It is possible to deny them access to any folder by creating a deny permission on that folder.

Permissions and users' home folders

When a user is created, WS_FTP Server automatically generates a permit permission granting the user full permissions to his or her home folder.

Permissions and virtual folders

Permissions set to include subfolders on a parent folder of a virtual folder are not applied to the virtual folder or any folders underneath it. Virtual folders do not inherit permissions from parent folders.

How to stop a propagated permission

When a permission set on a parent folder is propagated to a child folder and you want to remove or change the permission on the child folder, you can add another permission with the same mask at that level. For example, if the parent folder grants a user Read, List and Write permissions, and you want to remove Write permissions on the child folder, you can enter another permission on the child that specifies only Read and List for the User. This removes the Write permission.

Note: If a folder is governed by permissions marked include in subfolders on a parent folder, the permissions are not displayed on the child folder. Permissions that are included in subfolders are displayed only at the parent folder level.