Updated: June 4, 2018


This document will guide iDrive departmental administrators through the proper procedure for creating new internal folders, removing the inherited security property on internal folders, granting security to internal folders, removing security from internal folders, and troubleshooting some issues that may arise with iDrive internal folder security.


SECURITY RULES AND GUIDELINES

  • iDrive Departmental Folder Access and Security (Parent Folder Security)
    • iDrive Access Will be Granted:


      To ATU staff to match access associated with the employee’s assigned job position.


      Beginning July 01, 2015, to all full-time faculty who will be granted view only access to the folder for the department which they are employed.


    • Departmental Administrators:


      Administrators are typically Academic Deans, Department Heads and their Administrative Assistants, and Business Department Directors and key personnel within Business Offices designated by the Directors.


      Employees in these types of jobs should have the Administrative iDrive Security Group for their area(s) associated with the job position they are assigned..


    • Access for All Additional Staff:


      Faculty and staff not in a Director, Dean, Department Head, or Administrative Assistant type of job position will have the General iDrive Security Group for their area(s) associated with the job position they are assigned.

  • Internal Folder Security Access


    Newly created internal folders initially inherit the security assigned to the parent folder they are created within.


    Security to new internal folders at the first level of any parent folder MUST BE CHANGED IMMEDIATELY after creation to remove the inherited security from the parent property.


    NOTE: See Creating New Internal Folders for instructions.


    Internal folder security should be maintained by the departmental administrator(s) assigned to the folder. ONLY the departmental administrator(s) should have full access to internal folders.


    Employees with general folder access should never be given full access to any folder.


  • Orphaned Documents (not in a folder)


    Documents will inherit the security properties of the folder they are created and/or saved within.


    Documents should NOT be created at the first level of a college or departmental folder, and should ONLY be created inside of an internal folder for three reasons:

    1. Documents created at the top level of a college or departmental folder will be viewable by all employees who have access to the parent folder.
    2. ONLY departmental administrators will be able to update documents created at the top level of college and departmental folders.
    3. Departmental administrators will NOT be able to control the security on orphaned documents.

    All orphaned documents should be moved inside of an appropriate internal folder for security reasons.


INTERNAL FOLDER ADMINISTRATION INSTRUCTIONS

  • NEW Internal Folders
    • Create NEW Internal Folders:
      1. Access the folder in which a new folder needs to be created.
      2. Put the cursor in any white space inside the folder and click the right mouse button.



      3. Hover over New and then click on the Folder option appearing in a new drop down as shown above.
      4. Name the folder and press the Enter key.


        NOTE: Remember that security is inherited from the parent folder that the NEW (internal) folder is created within even if you are inside of an internal folder already.

    • Remove Inherit Permissions from Parent Object Property on NEW Internal Folders.


      IF this is a first level folder inside a parent folder, OR you do NOT want to keep the security of the folder you have created the NEW internal folder within, follow these steps to remove the inherit permissions from parent object property on the newly created internal folders.

      1. Move the cursor to the new internal folder and click the right mouse button.
      2. Click on Properties.
      3. Click on the Security tab at the top of the New Properties window.



      4. You should now see the following New Properties window for the new internal folder. Click on the Advanced button. 



      5. You should now see the following Advanced Security Settings for New window for the internal folder you wish to change. Click on Change Permissions to alter the advanced security settings. 



      6. The window shown below will open. Are you noticing that the “Apply” button is greyed out?


        In the Advanced Security Settings for New window, uncheck the box next to the text “Include inheritable permissions from this object’s parent” and click OK.



      7. The following Windows Security dialogue box will open, click on the Add button.



      8. Are you noticing that the “Apply” button in the Advanced Security Settings for New window is no longer greyed out?


        Click on the “Apply” button.

      9. If the Permissions “Warning” window opens, click on the Yes button.
      10. In the Advanced Security Settings Permissions window, click on the OK button.
      11. In the Advanced Security Settings window, click on the OK button.


        You should be back to the Security Properties window.


        Continue to set departmental administrator security on new internal folders.

    • Set Departmental Administrator Security on NEW Internal Folders.
      • If this is a NEW internal folder:
        1. Move the cursor to the new internal folder and click the right mouse button.
        2. Click on Properties.
        3. Click on the Security tab at the top of the New Folder Properties window. You should now see the following New Folder Properties window for the new internal folder:



        4. Click on the Edit button to open the Permissions for New window. 



        5. You should now see the following Permissions for New window:



        6. In the box below “Group or user names:” find and click on the administrative group ID for your parent folder. It should be in the format “i<ParentFolderName>A”.
        7. In the Permissions for Root box below, click on the box under Allow that is next to Full control, and then click on Apply.
        8. In the box below “Group or user names:”, find and click on the general group ID for your parent folder. It should be in the format “i<ParentFolderName>G”.
        9. Click on the Remove button.
        10. Finally, click on Apply.
      • If this is a NEW internal departmental folder:


        A new internal departmental folder is a folder for which separate departmental security exists, such as the Department of Music within the College of Arts & Humanities parent folder.

        1. Click on Add. You should now see the following “Select Users, Computers, Service Accounts, or Groups” box:



        2. In the space to “Enter the object names to select . . .”, type the internal department name like “i<DepartmentName>”.
        3. Click on Check Names.
        4. Click on the correct name that ends in “A”, for administrator.
        5. Click on OK. This will close the “Select Users . . .” box and re-open the "Permissions" box.
        6. Find and click on the Administrative group you just added in the Group or User name section at the top.
        7. In the Permissions section at the bottom, click on the check box under Allow next to Full Control.
        8. Click on Apply.
        9. Click on the OK button to close the Edit window.
        10. Click on the OK button to close the New Folder Properties window when you have finished.

        This completes establishing departmental administrative security for new internal folders.

  • Maintain Internal Folder Security
    • Methods of Assigning Access
    • The two options for allowing internal folder security are by individual employee, or by departmental group. The departmental security admin may establish the method of applying security to use on the iDrive parent, or internal departmental folder they control. Both methods of assigning security have advantages and disadvantages, and it is strongly suggested that you keep the original method that you establish. It is ok to use a different method on one folder than on others, but you should probably keep a spreadsheet so you know which folders have group access and which do not.


      When an employee requests general access to an iDrive security group, their ID is added to that group. That group is given query/read only access to the iDrive parent folder. This will allow them to see the internal folders, but will not allow them to make any changes. In a folder with ONLY iDrive parent level security, the departmental administrators of the parent folder must then grant access to individuals, or to the parent departmental general group, to internal folders before they may access to the internal folders.


      If departmental security exists for the first level of internal folders with an iDrive parent folder, the group established as “iG” will be given view/read only access to the departmental folder as well. Inside of the departmental folder the internal departmental administrators may assign access to their internal folders. Here is where the internal departmental admins may decide to assign access to the entire group to the internal folders, or only to assign access to limited individuals to the internal folder.

    1. Departmental group access:


      Access is granted to the group as a whole. So, if you give modify/update access to the group to any folder, every employee in that group will be able to make changes to documents inside the folder. Granting access to the whole group is useful if you have a folder of data that everyone in the department should be able to view/read but not to modify/update.


    2. Individual employee access:


      Access is granted to individual employees using their logon id. Using this method you can give ONLY the employees that need to access a specific folder of data access to that folder. You can also control whether an individual employee can only view/read data in the folder, or if they can modify/update data in the folder. This access works great for sensitive data that not everyone should have access to. However, you must add each individual employee or they will not have access at all, and set up their access appropriately or they will have the wrong type of access.

  • Remove General Department/Individual Employee Access
    • Move the cursor to the internal folder and click the right mouse button.
    • Click on Properties.
    • Click on the Security tab at the top of the New Folder Properties window. You should now see the following New Folder Properties window for the new internal folder:



    • Click on the Edit button to open the Permission for New window.



    • You should now see the following Permissions for New window:



    • Using the scroll bar to the right of the “Group of user names:” box, find the name of the employee you need to remove access.
    • Move your cursor to the person you wish to remove and select them by clicking the mouse button. Then, click the Remove button.
    • Continue until all employees that no longer require access to the internal folder have been removed.
    • Click on the Apply button.
    • Click on the OK button to close the Permissions for New window.
    • Click on the OK button to close the New Folder Properties window for the internal folder when you have finished all necessary changes.
  • Add General Department/Individual Employee Access
    • Move the cursor to the internal folder and click the right mouse button.
    • Click on Properties.
    • Click on the Security tab at the top of the New Folder Properties window. You should now see the following New Folder Properties window for the new internal folder:



    • Click on the Edit button to open the Permissions for New window.



    • You should now see the following Permissions for New window:



    • Find the User ID for the employee you are adding.
    • Click on the Add button in the Permissions for New window.
    • You should now see the Select Users, Computers, Service Accounts, or Groups box that follows:



    • Type the User ID for the employee you are adding in the box below “Enter the object names to select”.



    • Click on the Check Names button.



    • If the Multiple Names Found box opens, scroll until you find the name with the correct number and select the correct User ID by putting the cursor on the ID and clicking the mouse button.
    • If the email address does not populate in the box next to the user ID, check to be sure you have typed the user ID correctly. If not, retype the user ID and click on the Check Names button again.
    • If the user ID is typed correctly but the user does not exist, please contact the Campus Support Center to help you find the correct user ID for the employee.
    • Click on the OK button in the Select Users, Computers, Service Accounts, or Groups window.
    • You should now be back in the Permissions for New window for the internal folder.
    • Click on the employee user ID you have just added.
    • Look in the permissions for the “User ID” box and assign security as follows:
      • If this employee needs query/view access ONLY, make sure the following actions are selected:
        • Read & Execute
        • List Folder Contents
        • Read

        Uncheck any other permission boxes currently selected.

      • If this employee needs to modify/update files in this internal folder, use the mouse to click the boxes next to the following additional abilities:
        • Modify
        • Write

        Uncheck any other permission boxes currently selected.

      • Repeat the instructions above until you are finished adding employee access to the internal folder.
    • Click on the Apply button to save the added access.
    • Click on the OK button to close the Permissions for New window for the internal folder.
    • Click on the OK button to close the New Folder Properties window for the internal folder.
  • Change General Department/Individual Employee Access
    • Move the cursor to the internal folder and click the right mouse button.
    • Click on Properties.
    • Click on the Security tab at the top of the New Folder Properties window. You should now see the following New Folder Properties window for the new internal folder:



    • Click on the Edit button to open the Permissions for New window.



    • You should now see the following Permissions for New window:



    • Using the scroll bar to the right of the “Group of user names:” box, find the name of the employee whose access you need to change.
    • Move your cursor to the person you wish to change and select them by clicking the mouse button.
    • Look in the Permissions forUser ID” box and change the security by using the mouse to click the box for needed security or unclick the box for security that is no longer needed as follows:
      • If this employee needs query/view access ONLY, use the mouse to click the boxes next to the following abilities:
        • Read & Execute
        • List Folder Contents
        • Read

        Uncheck any other permission boxes currently selected.

      • If this employee needs to modify/update files in this internal folder, use the mouse to click the boxes next to the following additional abilities:
        • Read & Execute
        • List Folder Contents
        • Read
        • Modify
        • Write

        Uncheck any other permission boxes currently selected.

      • Repeat the instructions above until you are finished changing employee access to the internal folder.
    • Click on the Apply button to save the access changes.
    • Click on the OK button to close the Permissions for New for the internal folder.
    • Click on the OK button to close the New Folder Properties window for the internal folder.


TROUBLESHOOT SECURITY ISSUES

  • Unable to Access Internal Folder or File
    1. If ALL Internal Objects of the Folder Should Have the Same Security Set on the Folder:


      Reset security on ALL objects in a folder:

      • Right click on the folder, click the Security tab, click on Advanced.
      • Click on Change Permissions.
      • Find check box by “Replace all child object permissions with inheritable permissions from this object.
      • Click in the check to select it.
      • Click on Apply. You should see the following Windows Security box:



      • Click on Yes.
      • When the Apply is finished, click on OK to close the Change Permissions window.
      • Click on OK to close the Advanced Security Settings window.
      • Click on OK to close the Security window.
    2. If ALL Internal Objects of the Folder Should NOT Have the Same Security as the Folder:


      Set security for a specific object in a folder:

      • Right click on the specific object (file of folder) that access is required to and click on Properties.
      • Click on the Security tab.
      • Click on the Edit button.
      • Click on the Add button to open the Select Users, Computer, Service Accounts, or Groups box as shown below:



      • Type the user’s login ID.
      • Click Check Names.
      • Click on the ID that belongs to the user.
      • Click OK.
      • Click on the user’s ID in the Group or user names: box.
      • Check corresponding boxes in the Permissions forUser ID” box, located in the bottom section of the window, to grant the user access to the permissions needed by checking or unchecking the boxes next to the permissions.
      • When you are finished, click on OK to close the Permissions window.
      • Click on OK to close the Security window.