Sharing
Sites that are using the HyperPrivacy mode include the Sharing feature for sharing files and folders between different users. This is desirable whenever you need different users to access the same files. For example, your Marketing and Sales teams might both need the ability to download the same data. Maybe multiple individuals throughout your organization need to collaborate on a confidential project. Maybe you need to manage automated data flows from external parties, and you want employees responsible for the partnership to onboard or off-board users without an administrator's help.
Use Case: Inter-Departmental Sharing
In this example, we have groups that represent distinct organizational units, such as a Sales group, a Marketing group and a Product group. Users are assigned to only one of those groups, depending on which department they work for.
If all the users in this example are assigned the default User role provided with a new installation, they will all have the ability to share folders. A member of the Product group might create a folder that contains demonstration videos and case studies, and then share it with the Marketing and Sales groups. Each user in those groups can download items from that folder.
Use Case: Intra-Departmental Sharing
In this example, we have a group of users who represent a single department. We want the manager of this department to have a private area for confidential items their employees should not see, but we want all of the work files generated by the department to be shared amongst all of the employees and accessible by the manager.
The manager is configured with a role that allows them to manage other users and to create shares (such as the default Manager role), and the manager is granted a home folder for private files. Their employees are not granted home folders. The manager creates a separate folder in their own home folder, and then shares that with the employees in their department.
The result is that the manager has access all of their employees' work product along with the manager's own confidential folders, but employees see only items in the shared area.
Use Case: Delegated Administration
In this example, we have an employee that is responsible for managing file exchanges with a set of partners; our partners need to upload files to us daily, and they need access to download from a shared folder.
First, configure a role (or use the default Manager role) that provides the sharing capability and the ability to manage other users and assign that role to our employee. Create a second external user role that does not include the sharing capability or any management of any users. Create a user group that will represent the partners.
When the manager employee creates user accounts for each partner, they assign each new user that external user role, disables their home folder, and adds them to the user group for partners.
Next, the manager creates a folder for each partner in the manager's home folder. The manager shares each folder with the appropriate external user, granting them the ability to make changes in the folder.
For the shared download folder, the manager will share the same folder with the partners group, and not grant them the ability to make changes. This provides the read-only access to the shared download folder for all the partners.
Required Role Capability
Users whose roles include the Allow sharing files or folders with internal users and creating public links for external users capability can share items with other users and groups. The default User role includes this capability by default.
Users with a home folder who have a role that allows sharing can share any item in their home folder with any other user or group. This means that the capability to share items also allows a user to list all of the users and groups in your installation.
If you create user accounts for external contacts, you may want to create a customized role for those users that does not include the ability to share so that they cannot see all of the other users in your installation.
Accessing Shares Via FTP
For a user with a home folder who connects with FTP/SFTP, all items shared with the user will be listed under a folder named shares in the root folder.
Users who do not have a home folder will see a list of any shared items in the root folder when they connect over FTP or SFTP.
Permissions for Shares
There are 4 permissions associated with each shared item for a user or group: read, write, share and link. Permissions for a shared folder are fully recursive and apply to all the files and folders in that share.
When you share an item with other users or groups, they will always have the read permission, which gives them the ability to download from that share and to navigate into any subfolders that exist within a shared folder. In addition, users with read access to a shared folder can upload folders into that folder via FTP or SFTP, and the user will have full access to those uploaded items.
Granting the write permission (displayed as Manage) to a user for a share allows the users to upload, create new folders, rename items, delete items, and use the move or copy features with the share. Users with write permission to a shared folder can delete every item within the folder, but cannot remove the folder itself. Users with write permission to a shared item can rename the shared item.
The share permission allows users to share the item with other users and un-share it from any users, including their own account. If the user with share permission also has other permissions, they can grant or remove those permissions for others when sharing the item.
The link permission allows users to create external public links for the item. Users cannot grant higher access than they have to the item shared with them - if the user does not have the write permission for the share, they cannot create links that allow uploads.
Group Permissions vs User Permissions
The permissions assigned to an individual for a share take precedence over permissions assigned to any group the user belongs to.
When a user is a member of multiple groups with different permissions for a share, the user receives the combination of all granted permissions.
Last updated