Administer > User and user group setup and security > SA users and user groups > Permissions > Folder permissions

Folder Permissions

Folder permissions control access to the contents of folders in the SA Library, such as software policies, patch policies, OS build plans, server scripts, and subfolders. A folder’s permissions apply only to the items directly under the folder. They do not apply to items lower down in the hierarchy, such as the subfolders of subfolders. See Setting Folder permissions.

Default Folder permissions

When SA is first installed, the predefined user groups are assigned permissions to the top-level folders such as Package Repository. When you create a new folder, it has the same permissions and customer as its parent.

Types of Folder permissions

In the Folders Properties window of the SA Client, you can assign the following permissions to an individual user or a user group:

  • List Contents of Folder: Navigate to the folder in the hierarchy, click on the folder, view the folder’s properties, see the name and type of the folder’s contents (but not the attributes of the contents).
  • Read Objects Within Folder: View all attributes of the folder’s contents, open object browsers on folder’s contents, use folder’s contents in actions.

    For example, if the folder contains a software policy, users can open (view) the policy and use the policy to remediate a server. However, users cannot modify the policy. (For remediation, action and resource permissions are also required.)

    Selecting this permission automatically adds the List Contents of Folder permission.

  • Write Objects Within Folder: View, use, create, and modify the folder’s contents.

    This permission permits actions such as New Folder and New Software Policy. To perform most actions, action permissions are also required.

    Selecting this permission automatically adds the List Contents of Folder and the Read Objects Within Folder permissions.

  • Execute Objects Within Folder: Run the scripts contained in the folder and view the names of the folder’s contents.

    This permission allows users to run scripts, but not to read or write them. To view the contents of scripts, users need the Read Objects Within Folder permission and the appropriate action permission. To create scripts, they need the Write Objects Within Folder permission and the appropriate action permission.

    Selecting the Execute Objects Within Folder permission automatically adds the List Contents of Folder permission.

  • Edit Folder Permissions: Modify the permissions or add customers to the folder.

    This permission enables users to delegate the permissions management of a folder (and its contents) to another user group.

    Selecting this permission automatically adds the List Contents of Folder permission.

    The following figure shows the user group named Win-patchers with the Folder Permissions view selected. This user group has list, read, write, and execute permissions to the folder named /Library/A-WinPatch.

    Folder Permissions view in the User Group window

    Folder permissions and Action permissions

    Action permissions determine what actions users can perform with the SA Client. Folder permissions specify which folders in the SA Library users have access to.

    To perform most actions on folders and the items they contain, users need both folder and action permissions. For example, to add a software policy to a folder, users must belong to a group that has the Write Objects Within Folder permission on a particular folder and the Manage Software Policy action permission (Read & Write).

    Folders, customer constraints, and software policies

    If a customer is assigned to a folder, the customer constrains some of the actions on the software policies contained in the folder. These constraints are enforced through filtering: The objects that can be associated with the software policies must have a matching customer.

    For example, suppose that you want to add the quota.rpm package to a software policy. The package and the software policy reside in different folders. The customer of the policy’s folder is Widget and the customer of the package’s folder is Acme. When you perform the Add Package action on the policy, the packages that you can choose will not include quota.rpm. The customer of the policy’s folder (Widget) acts as a filter, restricting the objects that can be added to the policy. If you add the Widget customer to the folder of quota.rpm, then you can add quota.rpm to the policy.

    The following list summarizes the customer constraints for software policy actions. These constraints are invoked only if the software policy’s folder has one or more customers. Software policy actions not listed here, such as New Folder, do not have customer constraints.

    • Attach Software Policy: The customer of the server being attached must be one of the customers of the software policy's folder.
    • Install Software Policy Template: The customer of the server must be one of the customers of the folder of each software policy contained in the template.

Send Help Center feedback