From what I have seen you should give the Everyone Group General View Objects ability that way EVERY user and group has that access out of the box. From there you can then use your Group access to security folders below the root folder, is that the correct approach? If you do not give the view access to the root folder through the Everyone group then you have to add EVERY other group to the root folder.
Please let me know if I am missing something. I want to verify before moving forward.
There are 2 types of security, Open Security and Closed Security.
Open Security means that everyone has access unless they are denied. Closed Security means that nobody has access unless they are granted. They are both valid, but Closed Security is more secure. If you want Open Security, you would give the Everyone group “View” access at the root folder, if you want Closed Security, you would give the Everyone group “No Access” at the root folder.
Having said this, if you are using 3.x, you probably want to give view access at the root level for that object for the everyone group, but no sub-objects (either make an access level, or use advanced, it’s better to make an access level). This will make it so that everyone can see the root folder, but nothing below that, unless they were given explicit access.
I think it depends on your strategic approach to security.
We have multiple sets of data. Some users should see all the docs for all the data. Some users should only see all the docs for some of the data, and we don’t want to “accidentally” give those users access to the rest of the data.
So we restrict “Everyone” and then grant the necessary access to groups as needed. It’s a pain but it’s safe. Mr. Welter taught me this approach in my first BOE class (at that time, I didn’t even know what an instance was!).
I like this method - Having said this, if you are using 3.x, you probably want to give view access at the root level for that object for the everyone group, but no sub-objects (either make an access level, or use advanced, it’s better to make an access level).
It seems easier however the other way could be safer. I just don’t see if you set up Advanced view with sub level access turned off how you can mess that up.
I haven’t found a reason not to give the Everyone group view access to the root folder only. If you don’t give that user, or rather, a group that user is in access to a folder under root, they can’t see anything, only that the root exists. This actually took a while to figure out, because in previous versions, you gave “No Access” to the root folder for the Everyone group, and that worked fine, so unless you are aware of the new security model in 3.x, it may confuse you.
These security settings allow you to mimic the Xir2 behavior where the root folder was a transparent door. I mean even if you don’t have the right to open this door (view object in fact) you can see the sub doors.
Working with such a security model allows you to be proactive. Every time you will add a new project, thus a new sub folder structure nobody won’t be able to see it except the functional group you will create espsically to view that content.
(BOB member since 2008-03-14)