File & Share Permissions
Dave Burke ran into an issue I didn't mention in my previous post on IIS & remote resources: share permissions versus file permissions. Before I start, let's do some acronym vocabulary. There are more or less three things to know:
ACL (pronounced A - C - L) - “access control list” - a list of permissions for an object
DACL (pronounched dackle) - “discrentionary access control list“ - a list of permissions for an object set by the owner (or an admin) - we're dealing with this subset of ACLs
ACE (pronounced as spelled) - “access control entry“ - a permission in an ACL
There are two types of DACLs on a shared resource - the folder level permissions, and the share level permissions. The rule of thumb is that the most restrictive one wins. So, a user with full control in the share level ACL but only read in the folder level ACL will have solely read rights. It's always better to control this access in the folder/file level permissions. Any user or group that will need to do anything above and beyond reading a file/folder will need change permissions. Otherwise, read permissions are fine. Full Control isn't necessary.