Medley File Security FAQ
What is "file security"?
File Security is a feature of your file system which controls which users can access which files, and places limitations on the what users can do to files. For example, a file may be secured so that everyone can view it but only certain specific people may change it, while another is secured so that only the owner may view it. Folders may also be secured in this way.
Users of Windows 95 or Windows 98 may not have encountered file security before, because the FAT file system does not support file security. Users of Windows NT who have NTFS volumes may be familiar with file security, because NTFS supports this feature.
File security consists of two key elements: authentication and permissions. Authentication is how the computer finds out who you are -- you tell it this by providing a username and password when you begin using it, also known as "logging on". Permissions are the properties of a file or folder that specify who can access it (a list of users) and how (the type of access they are allowed). Normally, you modify the permissions of a file or folder from its properties dialog in the Windows Explorer.
Whenever a user accesses a file or folder, the file security feature kicks in. This is called an access check. The file system considers the userís identity, and what kind of action the user is performing, and consults the fileís permissions. If the permissions do not allow the action, the user gets an "Access Denied" error.
Where can I find more information about file security?
The Medley on-line help contains explanations, directions, and examples for using file security with Medley.
The Ownership and Permissions dialogs, which can be reached from Windows Explorer Properties dialog, contain on-line help. Just press the Help button.
Please note that this FAQ is not a substitute for the above documentation. Information in this FAQ should be used in conjunction with the Medley user documentation and the on-line help.
How does file security affect me on a daily basis?
For the most part, file security doesnít affect the day-to-day use of your computer.
On some occasion, you may try to save changes to a document and get an "Access Denied" error - this means that the owner of the file has decided that you are not allowed to change the document. Or you may get such an error when you try to open a document in the first place Ė this means that the owner has decided that you cannot view the document at all.
If this happens, there is nothing you can do. File security cannot be worked around or disabled. If you could, that would defeat the whole purpose! Your only recourse is to speak to the owner of the file. If he or she chooses, the fileís permissions can be updated to allow you access.
On other occasions, you may decide to secure a document yourself. This may be because the material is sensitive. Or it may be because you wish to keep it from being modified accidentally. In this event, you use Windows Explorer to change the fileís permissions.
If you handle a number of such documents on a daily basis, you may want to organize them into a secured folder. A secured folder contains files which all have the same permissions. Also, it is configured so that any new files created within the folder will automatically have those same permissions, so that you donít have to manually configure each new document.
I know what Windows NT Security is. Whatís Medley Security?
Medley Security is a simplified security architecture created by MangoSoft. It works very much the same as Windows NT Security, internally and externally. Both security architectures are based on recognizing users and configuring file permissions with Windows Explorer. If youíve used Windows NT Security, Medley Security will look very familiar.
The key differences are:
Windows NT Security requires a Windows NT computer.
Medley Security does not require any Windows NT computers. You can use it in a pool consisting of only Windows 95 or Windows 98 computers.
Windows NT Security is based on Windows NT accounts, which are managed with the Windows NT User Manager program. In order to access any file or folder, you must be logged on with a valid Windows NT domain account. If you are on a Windows 95 computer, you must enable domain logon, and log into the Windows NT domain.
Medley Security is much simpler. It is based solely on the Windows logon name. With Medley Security, you donít need a network administrator to create accounts - you just need a local user profile, which you can create when you log on with a new user name.
With Windows NT Security, the system administrator can organize related accounts into units called groups. For example, all the users in sales can belong to the Sales group. This makes it convenient to secure files, because you can specify the group, and not the individual users, when you set up permissions.
Medley Security does not support groups. It only recognizes individual user names, and the special value "Everyone".
When I create a shared folder on my computer, I can configure share permissions. What is the difference between these permissions and the ones I set on my files and folders?
When you access a file on a remote computer through a share, you have to go through both share security (if any) and then through file security (if any). You can only access the file if both the share permissions and the file permissions allow it.
Unlike file permissions, share permissions cannot be configured separately for each file or folder in the shared folder. The same permissions are applied to everything in the shared folder.
Also, share permissions only apply if you access the file or folder through the share from a remote computer. If you are logged onto the computer directly, no share permissions are used. And if the same folder is reachable through two or more share names, the share name that is used determines which share permissions are used for the access check. In contrast, file permissions are applied no matter how the user gets to the file.
Why does it matter who owns a file?
The owner of a file or folder will always be able to view and change the permissions, regardless of what the permissions are.
This can be viewed as a safety feature. If someone accidentally changes the permissions on a file so that no one has any access whatsoever, the owner of the file can still access the permissions and change them to something more usable.
Note that you can only take ownership of a file; you cannot make someone else the owner. This helps ensure that the owner is always valid.
If the owner is "Everyone", then everyone will have the abilities of the owner.
What is the difference between the Read-Only attribute and the Read file permission?
The Read-Only attribute is set from DOS (with the ATTRIB command) or from the Windows Explorer Properties dialog, under the General tab. If you set the Read-Only attribute, this prevents the file from being modified.
There are distinct differences between the Read-Only attribute and the Read file permission.
First, the Read-Only attribute is not secure. Anyone may turn the attribute off and then modify the file. So the Read-Only attribute protects you from accidental changes, but not intentional ones.
In contrast, the Read permission is secure. If you are only permitted Read access to a file, you cannot change the permissions in order to modify the file.
Secondly, the Read-Only attribute is global. It applies to all users.
In contrast, file permissions may be configured so that some users have only Read access while other users have more.
Some applications do not report "access denied" as the error when I am denied access to a file. Why?
Before Medley, Windows 95 and Windows 98 did not have a local file system that supported file security on a local disk. Therefore, many Windows applications are not prepared for the ERROR_ACCESS_DENIED (5) error code when opening a file on the Medley drive.
In an effort to "help", these applications will not report the actual error, but instead will display a general help message, which does not mention file security as a possible reason for the error.
When I open a secured file using Explorer, why does Explorer launch an application (like Word) even when I am not allowed to access the file?
If the file is secured, and you are not allowed to access it, this will not be detected until a program attempts to open the file.
When you open a file with Explorer, Explorer does not open the file. Instead, it launches an application (like Word or Notepad), and the application opens the file. This means the application is started before you find out that access is denied.
Why can I delete a file even if I only have Read permission?
If you are granted Full Control permission to a folder, you can delete anything contained in that folder, even if you donít have access to what is being deleted. So if you have Read permission on the file but Full Control permission on the folder that the file is in, you can delete the file.
If you wish to secure a file or folder against deletion, you must secure the folder it is contained in as well. Users who should not delete the contents of the folder should be assigned less than Full Control access.
Sometimes when I restore a folder from the recycle bin, the permissions change. Why does this happen?
On Windows 95, the Recycle Bin does not save folders like it saves files. Instead, it simply remembers the name of the folder that contains the files being deleted.
When you restore files from the deleted folder, the Recycle Bin re-creates a new folder with the same name. It looks like the same folder as before, but the permissions are not the same any more Ė they have been reset to the default.
Unfortunately, the Windows 95 Recycle Bin behaves this way because it is not aware that the folder has permission information which needs to be preserved.
I want to add a new user to a permissions list for a file, but their name does not appear in the Add Users list. How do I add them?
The Add Users dialog displays a list of all the users who have ever logged onto any computer in the pool. If they don't appear, they probably haven't logged on yet.
Have them log on, then close and re-open the file security properties dialog.
If a user account is removed, what happens to all the permissions that refer to that user? Are they cleaned up?
No. There is no way to automatically remove every occurrence of a user identifier from every file or folder permission.
How can I tell if I am logged on properly?
When you experience file security problems, such as an "access denied" error when you did not expect one, the first thing to check is whether or not you are logged on properly. You may be logged on with the wrong user name, you may not be logged on at all, or there may have been system trouble when you logged on Ė all of these things could cause file security problems.
Bring up the Medley Control Panel applet.
Under the General tab, it displays the current logged on user. Make sure that the user name is what you expect. If no user name appears, then you are not logged on. If you press the Escape key or the Cancel button at the Windows logon dialog, you are not logging on. If you do this when using Medley, then Medley will not recognize you, and you may be denied access to files.
I secured my file and now I cannot access it myself. What can I do?
The first thing to do is to determine if you are logged on properly (see above).
If you are logged on properly and still cannot access the file, then the problem lies in the file permissions. It may be configured to deny you the access you need.
As long as you are the owner of the file, you will always be able to view and modify its permissions, even if you are being denied other kinds of access at that time. Simply use Windows Explorer, bring up the Permissions dialog, and restore access for yourself. To find out who is the owner of a file, in the Windows Explorer, right-click on the file and select "Properties...", click on the "Security" tab, and then click on the "Ownership" button.
If you are not the owner, then you need to find the owner and have them do this for you.
If the owner is unavailable, then you can restore the file from a back-up made before it became inaccessible.
As a last resort, you can clear the user's account information, and then create a new one with the same name. Then you can log on as that user and access the file in that way.
To clear the user's account information:
- On any system that the user has logged on to, go to the C:\Windows directory, find the user's .PWL file, and delete it.
- From any system in the pool, start the Medley Control Panel, go to the Maintenance tab, and start the User Manager. With the User Manager, delete the user's name.
Now you can log on as that user, using any password that you wish.
Remember to protect the user manager database file to prevent unauthorized users from accessing account information in this way. This database is called CLUPDB, and it's in the MangoSoft System directory on your Medley drive. You can protect it by setting file permissions, just like any other file on the Medley Drive.
Does file security affect my back-up policy?
Yes. The back-up operator must be able to access the files and folders
being backed up.