Once you create your deployment, end users don't have access to any files and folders on C or D drives. Admins can completely control end user access to files and folders through File Shares module in Cloud Desktops section of itopia CAS.
Folders module in itopia is linked to C:\Customer Data (or D:\Customer data for newer provisions) on the file server. If you place data in any other server or drive in the file server, you will not be able to manage it through itopia portal.
Managing folder permissions, creating Shares
itopia provides a convenient way to manage your folder permissions directly from the CAS portal instead of going to the server and dealing with folder security the old way.
By default, users don't have access to C drive (/D drive), a default GPO hides it from them.
In order to give user access to a shared folder, you need to create a Share first. Go to the File Shares module and click on Create Share
Fill out the form and click Create
Once the share is created, you can then map the share as a drive to a
User/Security Group and assign permissions to individual users or Security
Groups.
To assign the File Share as a mapped drive, click on the File Share and under
the Mapped Drives section, click on Create
From here, you can assign individual users or Security Groups to the File Share
that was created. You also have the ability to select the Drive Letter that you
would like the File Share mapped to, for the end user.
When you have filled out the form to your liking, click Create
Now, you can set the folder permissions for the File Share that was just created.
First, select the File Share, and then click on Create under the Folder
Permissions section
Similar to the last section, you have the ability to add individual users and
Security Groups to the permission list of your File Share. Note that if the user
does not have permissions on the File Share, they will not be able to see it.
Towards the bottom of the form, you can grant Read, Write, or Full Control
(Read, Write, Delete) permissions. You can also set the inheritance for the folder
as well. You can either have the assigned users and groups have access to the
whole folder where the share points to. This includes all subfolders or you can
limit the access to only the folder where the share points to. Once done click
Create
Please allow the system few minutes to save the changes and reflect them in the portal.
Note: If the user is not included in the Share but still has permissions to the folder (is assigned to the folder with View or Full access), user will still see the folder but won't be able to access it.
Pro tip: Create the folder structure and security groups first and then assign all the permissions to the folders. Creating the structure and permissions before moving the data will get you faster performance because the folders are empty. After dropping the data in, folders and files will just inherit the permissions of the parent folders.
How are folder permissions handled in the server?
Share permission are managed with GPOs. After you create a share and assign users/ groups to it, the system creates a group in Active Directory under BGroups folder. The group name consists of the share letter and code (eg: AddShare-E-123) and it contains the users and groups that have access to the share.
The group is than added to the security permissions of the folder the share points to and sharing is enabled for the folder as well.
Create new folder
First, highlight the folder that will contain your new folder. Click on the + sign.
Click on Create Folder
Fill out the form and choose whether or not you would like the new folder to
inherit permissions from the parent folder.
Click Create when done
Please wait for a few minutes while the folder gets created. The new folder will
be created under the one you highlighted in the previous step.
Changing the folder permissions directly from the server
You can modify the permissions on the server directly but make sure that you only select View only or Full control access type so the portal can detect the change and update.
Other types of access like Read and execute or Modify are not available in itopia CAS and therefore the portal cannot be updated accordingly.
Deleting Shares
When you need to delete a share, make sure you do it from itopia CAS: Click
on the Share and then click Delete. Keep in mind that the File Share is the top
level folder. In the screenshot below, Test is the file share, and Test Folder,
Article Example, Test Subfolder, etc are all subfolders that are within the File
Share named Test
IMPORTANT: When the share is deleted, the permissions are removed from the share but it will still appear to the users. The share will not be accessible anymore but to stop seeing the share, user needs to manually disconnect it (right click on the share - Disconnect).
The reason why we manage it this way is that Windows allows using the same letter for multiple shares. In order not to disconnect any share that uses the same letter and was created manually int he server, wee keep mapping them for the users.