Example B: Defining several groups with full access to one project and no access for other projects

Scenario: Project managers are concerned about security leaks and have requested that you restrict all rights to the project folders to only members of those projects.

Procedure

On the file server, define the share permissions on the Projects folder so that all groups have full access to the share.
For the Projects folder permissions, define only the groups Administrators, Everyone, and System. Give Administrators and SYSTEM full control. Give Everyone Read.
Under the Projects folder you have individual project folders called BagelSlicers, CoffeeMakers and Toasters.

Set the security on these folders as follows:

Table 1. Example B: Security Settings for Projects
Folder	Accounts	Setting
BagelSlicers	Administrators SYSTEM SLICERS	Full Control
BagelSlicers	Everyone	Read*
CoffeeMakers	Administrators SYSTEM COFFEE	Full Control
CoffeeMakers	Everyone	Read*
Toasters	Administrators SYSTEM TOASTER	Full Control
Toasters	Everyone	Read*

* The Read right includes Read & Execute, List folder contents, and Read.

Results

The effective rights based on these settings are as follows:

Table 2. Effective Rights for Example B
Rights	Accounts
Create objects at the Project folder level	Administrators, SYSTEM
Edit rights to BagelSlicers folder	Administrators, SYSTEM, SLICERS
Read access to BagelSlicers folder	Administrators, SYSTEM, SLICERS
Edit rights to CoffeeMakers folder	Administrators, SYSTEM, COFFEE
Read access to CoffeeMakers folder	Administrators, SYSTEM, COFFEE
Edit rights to Toasters folder	Administrators, SYSTEM, TOASTER
Read access to Toasters folder	Administrators, SYSTEM, TOASTER

Note that while the Everyone group technically has Read access to these folders; their effective rights are no access. This is because anyone not in COFFEE, TOASTER or SLICER groups are denied access by the share permissions. No one else could even list the folder contents or browse.