File, Folder, and Share Permissions on Windows

See Examples of RSCM Server Configurations for Windows for scenarios that describe how security settings and permissions control which users have access to which projects.

On Windows, the most restrictive rights always win when resolving conflicts in access rights between a share and a folder underneath the share. In the example below, the share permissions are read-only for the built in group ‘Everyone,’ and the folder permissions grant full access to the COFFEE group members. The read-only policy is enforced for users in the COFFEE group even though there are more permissive rights granted on the folder for the COFFEE group.

If rights conflict only at the share level, the more permissive rights win. In the example below the ‘Everyone’ group is read-only but the COFFEE group has full access. The users in the COFFEE group have full access because the conflict resolved at the share level grants the more permissive access.

In the example below, the share permissions are wide open but the folder permissions are restrictive. The COFFEE group users cannot edit this project.

Conflicts between shares and folders resolve to the most restrictive, regardless of whether that restriction is on the folder or the share. It resolves to most permissive only at the share level.

If you want to have only one share with multiple folders underneath and restrict those folders to particular users or groups, you should add all groups that need to access folders under the share with full control of the share and keep the ‘Everyone’ built-in group with read (or remove access entirely). This denies any users that are not part of those groups you have granted access to the share level. Then you can enforce permissions for groups with the folder permissions, restricting the folders as necessary.