A customer noticed that when you use Explorer to share a folder with a specific user, Explorer creates a file share with full permissions to everyone. “Why is this needed? Shouldn’t it be created with permission only to the user that the folder is being shared to?” <\/p>\n
Okay, first of all, we should note that there is not a security issue here, because even though the share grants everyone full permissions, the individual permissions on the files and folders are still respected. In order to get access to a file, you need to have access both to the share and to the file. Since you already set up the desired permissions on the file, the share permissions are redundant. <\/p>\n
But doing it this way does make things easier for the user. <\/p>\n
It reduces the number of elevation prompts, because elevation is required only the first time you share a folder. If you share a folder with multiple people, the second and subsequent sharing operations do not need to elevate because the share already exists with full permissions to everyone. <\/p>\n
It reduces the complexity of the sharing operation. Adding or removing a shared file or folder does not require recalculating the ACLs on the share. It also means that the UI for showing what is shared doesn’t need to perform an effective access calculation in order to determine what access level to show. It can operate purely on the file system permissions. <\/p>\n
It also makes things easier to understand for the user. Users need to manage only file permissions and don’t have to remember that they also have to combine that with the share permission. Otherwise you get into cases where you shared a file with Bob, and Bob can access it sometimes (when Bob is signed in locally) but not other times (when Bob is accessing the file remotely). <\/p>\n
If you really want to deal with share-level permissions, you can use the advanced sharing UI. It’s the simple sharing UI that uses the simple security model. <\/p>\n","protected":false},"excerpt":{"rendered":"
The ACLs will do the work.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-93955","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"
The ACLs will do the work.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/93955","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=93955"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/93955\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=93955"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=93955"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=93955"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}