This topic describes the permissions and provides solutions to common permission issues.
To perform authorization management, ensure that you have successfully enabled the sharing/authorization feature.
By default, super administrators/drive administrators have management and operation permissions for all team drives within the enterprise.
By default, team administrators have management and operation permissions for the drives under their responsible teams.
By default, regular users only have previewer permissions for the drives of their team.
User roles and permissions
PDS currently supports 4 roles, including 3 administrator roles (super administrator, drive administrator, and team administrator) and 1 regular user role. The following sections describe the permissions for each role.
Super administrator
A super administrator has full permissions for all resources in the drive (including enterprises, teams, users, spaces, files, etc.), such as creating users, modifying user roles, creating teams, creating spaces, authorizing team spaces, and uploading and downloading files in team spaces.
Each drive allows only one super administrator to be created. The super administrator can be configured in the PDS console. See the following figure:
Due to user privacy concerns, super administrators cannot access files in users' personal spaces by default. If needed, please contact us.
Drive administrator
The permissions of a drive administrator are basically the same as those of a super administrator, except for some important operations such as changing other users' roles to drive administrator or viewing files in users' personal spaces.
The drive administrator role can be assigned by a super administrator in the drive's Management Console -> Team Management by selecting the target user and clicking "Switch Role". See the following figure:
Team administrator
A team administrator is mainly responsible for managing team resources, such as adding users to the team, removing users from the team, setting user space size, and viewing team audit logs. Team administrators also have permissions for all files in the team space, including folder authorization, upload, download, preview, delete, edit, and view recycle bin operations. The management scope of a team administrator is not limited to the team itself, but also includes all sub-teams under the team. For example, if department A has departments B and C, the administrator of department A can manage users and team spaces of departments B and C.
The team administrator role can be assigned by a super administrator in the drive's Management Console -> Team Management by selecting the target team, then selecting the target user from the user list on the right, and clicking Switch Role. See the following figure:
Regular user
Regular users by default only have operation permissions for their personal spaces, including folder authorization, upload, download, preview, delete, edit, and view recycle bin functions. They can perform related operations in team spaces only after being authorized.
Permission description
Permission diagram
Concept explanation
A user tree is generated based on the relationships between users and groups. A user tree has several levels. A user can be a member of multiple groups, but a group can be a member of only one group.
A file tree is generated based on the relationships between files and folders. A file tree has several levels (as shown in the example above).
File authorization refers to granting a user or group specific operation permissions on a folder. Currently, PDS allows you to grant only permissions on folders.
File authorization is completed by using roles. PDS provides a series of default roles for authorization. The following table lists the roles.
Group permission inheritance means that the users in child groups can inherit the permissions that are granted to the parent group. For example, if you grant "R&D department" a permission on "R&D drive" and the permission inheritance feature is disabled, only "User 4" is able to use this permission because it is the direct member of "R&D department", and "User 2" and "User 3" do not have the permission.
File permission inheritance means that all child files and folders can inherit the permissions that are granted to the parent folder.
Permission overwriting means that if a user has multiple available permissions on a resource, the permissions overwrite each other. In the preceding figure, "User 4" has both preview and edit permissions on the "Project materials" folder. The preview permission is inherited from the parent group, and the edit permission is granted to the user directly. When multiple permissions apply to a user simultaneously, the permission closer to the user overwrites the permission farther from the user. Therefore, when "User 4" accesses the "Project materials" folder, the edit permission is used. There is a special case: because a user can be a member of multiple groups, when different permissions are granted to multiple groups to which the user belongs, the union of multiple permissions is used as the user's access permissions.
Permission names and role introduction
Currently, PDS provides the following 11 permissions (including visible list, preview, upload, download, share, shift, copy, rename, delete, update, and create file) and 15 system default role permission lists (system default roles consist of different permissions).
The meanings of each permission are as follows:
Previewer: Can preview images/documents/videos in the authorized space/directory online (preview permission requires visible list permission).
Visible list: Can view which folders/files are in the authorized space/directory, but has no operation permissions.
Create file: Can create files in the authorized space/directory (creating files requires visible list and upload permissions).
Upload: Can upload files to the authorized space/directory (upload permission requires visible list and create file permissions).
Download: Can download files from the authorized space/directory to local (download permission requires visible list and preview permissions).
Share: Can share directories and files in the authorized space/directory with other users or teams (share permission requires visible list and preview permissions).
Delete: Can delete directories and files in the authorized space/directory (delete permission requires visible list permission).
Shift: Can move directories and files in the authorized directory to other spaces/directories (shift permission requires visible list and delete permissions).
Copy: Can copy directories and files in the authorized directory to other spaces/directories (copy permission requires visible list permission).
Rename: Can rename directories and files in the authorized space/directory (rename permission requires visible list permission).
Update: Can edit, update multiple versions, or restore directories and files in the authorized space/directory (update permission requires visible list and preview permissions).
Synchronizer: Can perform bidirectional synchronization or one-way upload operations on folders in team spaces and received shares.
Backup user: Can perform one-way upload operations on folders in team spaces and received shares.
Download/share/update permissions require preview permission (so that users can view the content of files to be operated on in the drive before performing operations).
Space introduction
Enterprise space
After purchasing the enterprise edition, a root team with the same name as the enterprise is created by default, and a space is created for the root team as the enterprise space. Users within the enterprise have preview permissions for files in the enterprise space by default. Only super administrators and drive administrators have permissions such as authorization, upload, download, preview, delete, edit, and view recycle bin.
The development edition does not have a default enterprise space. You can create teams and spaces yourself.
All users have preview permissions for files in the enterprise space by default. It is recommended to store only files that all users within the enterprise can view in the enterprise space, such as employee handbooks and public information. Internal department files (such as project materials) should be stored by creating team spaces for easier fine-grained permission management in the future.
Team space
Teams are usually created according to the enterprise's organizational structure. Team spaces are used to store files and materials of different departments, and team administrators can authorize folders in team spaces to different teams or users based on business needs. Team spaces are created by super administrators and drive administrators. See the following figure:
After entering the management console, click "Team Management", select a team and create a sub-team, as shown in the following figure:
In the pop-up dialog box for creating a sub-team, you can choose whether to allocate space size to the team or set default space permissions.
After the team space is created, the system assigns the previewer role of the team space to the team by default, which means that all members under the team can preview files in the team space by default. Administrators can modify or delete this default permission, or add other permissions. The following figure shows the default permissions assigned by the system after the team space is created.
In addition to the system default permissions mentioned above, administrators can also set other permissions required by the business. For example, if you want user A from another team to preview files in this team space, you can select the corresponding user from the left side of the figure above and drag them to the right side, and set them as a previewer. The authorization operation for other teams is similar. In addition to authorizing the entire team space, folder-level authorization is also supported. Enter the team space as an administrator, select a folder that needs authorization, and follow the above operations.
Authorization rules
Folder authorization under team spaces preserves the file path. For example, if there is a file "/B/C/D/1.jpg" under team space A, and only folder D is authorized to user 1 (previewer), then user 1 will see team space A under "Team Space", can see folder B after entering team space A, can see folder C after entering folder B, and can see folder D after entering folder C. User 1 only has previewer permissions for folder D, and only visible permissions for folders B and C. Folders other than folder C under folder B are invisible to user 1, and folders other than folder D under folder C are also invisible to user 1. User 1 can preview all files and folders under folder D.
Inheritance rules
When authorizing a team, you can choose whether the sub-teams of the team inherit the permission. If not inherited, only the direct members of the team have this permission.
Currently, prohibiting permissions inherited from upper-level folders is not supported. You can only narrow permissions by giving new authorizations to sub-folders.
Personal space
Personal space is mainly used to store users' personal files and materials. By default, only the user themselves has permission to access this space, and even super administrators cannot view users' personal spaces. The authorization operation for personal space is basically the same as that for team space. Authorized users can view folders that other users have authorized to them from personal space through the "Received Shares" function. See the following figure:
Custom permission description
Set custom permissions
In addition to using default permission roles, PDS supports setting permissions during authorization. Users can customize the permissions they want to grant.
Add permission template
If an administrator deletes a permission combination that is being used, the deletion will fail with a prompt that the permission template is being used for authorization and cannot be deleted.
There is a limit to the number of preset permission combinations, with a maximum of 50.
Add custom permission combinations in Management Console -> Enterprise Settings -> Permission Template.
After setting custom permission combinations, you can use these permission combinations in the permission template of the authorization management interface.
Delete file description
Delete authorized team space files
Drive administrators/team administrators/super administrators can directly delete files in team spaces. The deleted files can be viewed in the recycle bin and can be restored from the recycle bin.
If regular users are authorized (granted delete file permissions), they can directly delete the corresponding files or folders, but the deleted files or folders will not be displayed in the regular user's recycle bin. They can only be viewed in the recycle bin after logging in as a drive administrator/team administrator/super administrator.
Delete shared files
If users are granted all permissions, operations such as collaborative administrator, favorite, delete, shift, rename will be filtered out for the outermost directory, which means that the outermost directory of the share does not support direct deletion.
Deleting files or folders within the shared folder is supported. The deleted files will be displayed in the sharer's recycle bin (supporting restoration from the recycle bin) and will not appear in the shared user's recycle bin.
FAQ
How to set different permissions for files in enterprise space according to users
In , select the enterprise and choose Modify Team Information, and cancel the default permissions for the enterprise space.
Click [Return to User Interface] in the upper right corner, select the directory that needs authorization under Enterprise Space, and click Authorization Management to set permissions by user.
Team members can preview files by default, download permissions are limited to managers
In , find the team, select Modify Team Information, and change the default permissions of the team space to previewer.
Solution 1: In , select the team to grant management users downloader permissions.
Solution 2: Grant the user team administrator role.
Regular users can only view their own files, managers have all file operation permissions
In , find the team, select Modify Team Information, and delete the default permissions of the team space.
Log in with a drive administrator/team administrator account, and create folders corresponding to the regular users in .
Grant uploader permissions to the target users for each folder.
Data isolation across multiple teams, full control for managers
Only certain people can see certain materials within the team space
In , find the team, select Modify Team Information, and delete the default permissions of the team space.
Log in with a drive administrator/team administrator account, and select the target folder in .
Grant different folder operation permissions to users.
Set team drive or folder to be invisible to users
Log in with a drive administrator/team administrator account, and select the team drive or folder in .
Grant Prohibit Access permissions to teams or users.
How to view the current user's permission information
In , select the user, and click Permission Information to view the current user's permission status.
Sharing/authorization settings
Log in to the enterprise drive with an administrator account, and enable the authorization feature in . After logging in to the enterprise drive again, you can set permissions.
Why can't files be authorized
How to modify enterprise space access permissions
After logging in to the enterprise drive with an administrator account, select the enterprise under Team Management, click the edit button, and you can modify the default access permissions of the enterprise space.
How to modify team space access permissions
Method 1:
After logging in to the enterprise drive with an administrator account, select the team under Team Management, click the edit button, and you can modify the default access permissions of the team.
Method 2:
In the user interface , select the team drive and click Authorization Management to personalize the access permissions of the drive.
How to modify the access permissions of folders under the team drive
In the user interface , select the team folder and click Authorization Management to personalize the access permissions of the folder.
How to cancel granted permissions
In the user interface, select the target team or file and click Authorization Management, then select the user or team whose authorization needs to be canceled and remove them.
How to view which users have been granted permissions for a team or folder
In the user interface, select the target team or file and click Authorization Management to view the authorized users or teams.