Permissions:  A simple yet powerful feature you should be using

Permissions:  A simple yet powerful feature you should be using

Permissions are powerful, easy to use, can prevent mistakes, and protect your most important stuff. Yet many people do not take advantage of this free superpower!

Why You Should Lock Down Permissions

Here are some of the great reasons to use permissions:

  1. To Prevent Mistakes: With some very simple changes, you can prevent many common accidents. You can prevent people from saving files to the wrong folder.  This may help stop clutter and make it easier to find important items. You can prevent someone from saving stuff to someone else’s folders. You can prevent others from deleting critical data.
  2. You Can Limit the Destruction Caused by Ransomware: Many firms have all files open to access by all members of the staff. When a user is hit by ransomware, this would mean the ransomware can encrypt all the files on the network, and thus no one can work on anything, anywhere!   With even basic restrictions across folders, the user cannot make changes to other folders and this would limit the ransomware to only encrypting a portion of the data across the network.  Others could still work uninterrupted instead of the entire firm being crippled.
  3. Read-Only Is Surprisingly Powerful: There is a permission known as Read-Only that allows users to open a file, but not save over the same file, or delete the file. This is super helpful for allowing access to templates or shared company information.  The users can open it, can save it to a different location but the original is protected from changes.
  4. HIPAA, FIPA, PCI, or Any Other Required Rules: With so many breaches and security incidents, many laws and regulations are now in place. Most of these laws have steep fines for not securing data within an organization to the rule of “least access”.  This requires users to have limited access to data and extra steps taken to keep information secured.
  5. Security: And, of course, the whopper reason to use permissions is for security. By limiting what information can be changed or even accessed, you dramatically reduce the threat to your company.  One of the first questions insurance companies or regulators ask after a breach is how the data was segregated and secured.  Was a portion of the data taken or all of it?   Permissions are the main way to protect against a data breach going from minor to major.

Ingredients in Applying Permissions

When applying permissions, they are done by mixing three strategic items.  The first is “What” you want to secure.  You choose areas of the system.  For files, you may select a set of folders.   For a program, you may choose areas within the programs to secure.  Essentially, what is it you are choosing to secure?

Then you choose the type of permissions to apply to this area.   The types of permissions are summarized in the next section of this article.

Finally, you choose “who” to apply the permissions to.  You may give one-group full permissions, while another group of people gets no permissions and another group gets limited permissions.

An example would be something like this:

  • Accountants get to do anything in the Payroll section of the accounting program.
  • Managers get to view, but not change anything in the Payroll section of the accounting program.
  • Other users do not have any access to the Payroll section of the accounting system.

You may choose to apply different permissions to different users for each section of a program or for areas of files on your server.

Types of Security Permissions

Permissions can be applied to files, folders, emails, websites, programs, databases, and a lot more.  Some systems have many different types of permissions and others have very basic options for permission.  In general, you can think of the major types of permissions as either No access, Full Access, or Read-Only.

No access is the tightest type of security.  It means that anyone assigned the No access permission has no ability to go in, see or change anything in this section.

Full access is, unfortunately, all too common. This is simply a setting that says anyone can access and change the data in this section.  There are no restrictions.

Read-Only access is between the two options above.  A person can go in and see those files.  They can open and look at them.  However, they cannot change the original file.   Read-only on a folder means they cannot save to that folder.   If they want to work on a template, they would have to save it to a separate folder and leave the original untouched and unchanged.

Tip:  Apply Permissions by Groups not Individuals

A pro tip is always to apply permissions to group,s not individual people.  Therefore, if you want people in Sales to have access to the Sales folder, you create a group of users called “Sales” and add everyone needed into that group.   This makes it a lot easier to add new people joining the company.  Therefore, when “Mary” joins the sales team, you just add her to the Sales group, which has permissions assigned throughout the company as opposed to having to remember all the places to add and remove Mary’s permissions too.   Even when there is just one person in a group, it is easier and safer to add permissions by groups to areas.

How to Organize Permissions

The two most common and effective ways to organize data to secure it with permissions are by functional areas like departments or by teams of people that work on projects.

Let us use files and folders as an example.   A common setup we recommend is where we setup a network drive such as “X”.   Under the X drive, we will have 3-5 main folders.  For example, we might make folders like this:

X:\Commons – For shared files like vacation request forms, HR info, company templates, etc.

X:\Departments – Under this folder, there are other folders for Sales, HR, Management, Operations, Reception, Accounting, etc.   Each folder is restricted to people in that department.

X:\Programs – Folders for each main program and the install applications.

X:\Users – A folder for each user that only that user can get into.

Now we will make the X: drive so that no one can create other folders without management’s approval.  That way people have to pick an existing folder to save something new to and we do not end up with a bunch of random folders or files saved in the main X: drive.

The bulk of users will work in their department’s folder and have limited or no access to folders of other departments unless needed.

Some companies work better if permissions are organized by teams.  CPA and Law firms commonly use this approach.   A partner in the firm may have several juniors working under them on the same group of clients.   So all of the users working on this group of clients have shared access but not to other teams.

In short, permissions are free to set up and can dramatically improve the security and handling of a firm's data.