Once you create your environment, end users don't have access to any files and folders on C/ D drives. Admins can completely control end user access to files and folders through Folders/ Shares module in Cloud Desktops section of itopia CAS.
Folders module in itopia is linked to C:\Customer Data (or D:\Customer data for newer provisions) on the file server. If you place data in any other server or drive in the file server, you will not be able to manage it through itopia portal.
Managing folder permissions, creating Shares
itopia provides a convenient way to manage your folder permissions directly from the CAS portal instead of going to the server and dealing with folder security the old way.
By default, users don't have access to C drive (/D drive), a default GPO hides it from them.
In order to give user access to a shared folder, you need to create a Share first. Go to the Shares tab and click the + sign to create a new share.
"Add share" window will open where you will specify the share Name, preferably, put the same name as the folder you are creating the access for.
Put the drive Letter (must be upper case) and click on the magnifying glass in the Path field to browse the folder location.
You can then select users or whole groups that will have access to the share and determine the inheritance. You can either have the assigned users and groups have access to the whole folder where the share points to including all subfolders or limit the access to only the folder where the share points to. Once done click Create:
Creating a Share will give users/ groups View access to the folder.
Depending on the drive letter you selected, the share will be displayed separately for the user under the specified drive letter.
You can modify access level (full control or view only) from the Folder Directory tab. If you have multi-region deployment, select the Region you want to edit first:
Then highlight the folder and click on the shield icon to open the permissions window.
Confirm the correct permission is selected (Read only/ Full control) and hit Save.
Please allow the system few minutes to save the changes and reflect them in the portal.
Note: If the user is not included in the Share but still has permissions to the folder (is assigned to the folder with View or Full access), user will still see the folder but won't be able to access it.
Pro tip: Create the folder structure and security groups first and then assign all the permissions to the folders. Creating the structure and permissions before moving the data will get you faster performance because the folders are empty. After dropping the data in, folders and files will just inherit the permissions of the parent folders.
How are folder permissions handled in the server?
Share permission are managed with GPOs. After you create a share and assign users/ groups to it, the system creates a group in Active Directory under BGroups folder. The group name consists of the share letter and code (eg: AddShare-E-123) and it contains the users and groups that have access to the share.
The group is than added to the security permissions of the folder the share points to and sharing is enabled for the folder as well.
Create new folder
First, highlight the folder that will contain your new folder. Click on the + sign.
Mark the checkbox bellow if you don't want your new folder to inherit its parent folder permissions and hit Save.
New folder will be created under the one you highlighted in the previous step.
Changing the folder permissions directly from the server
You can modify the permissions on the server directly but make sure that you only select View only or Full control access type so the portal can detect the change and update.
Other types of access like Read and execute or Modify are not available in itopia CAS and therefore the portal cannot be updated accordingly.
When you need to delete a share, make sure you do it from itopia CAS:
IMPORTANT: When the share is deleted, the permissions are removed from the share but it will still appear to the users. The share will not be accessible anymore but to stop seeing the share, user needs to manually disconnect it (right click on the share - Disconnect).
The reason why we manage it this way is that Windows allows using the same letter for multiple shares. In order not to disconnect any share that uses the same letter and was created manually int he server, wee keep mapping them for the users.