# Folder permission

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/folder-permission

## Quick definition

Folder permissions are rules that control who can open, change, or delete a folder and the files inside it. They help keep data secure by allowing only authorized users to perform specific actions. Think of them as a lock on a filing cabinet where only people with the right key can read or edit the documents. These permissions are essential for protecting sensitive information in shared computer environments.

## Simple meaning

Imagine you live in a house with several roommates, and everyone has a personal cabinet in the living room. You want to make sure that only you can access your private documents, but you are fine with others looking at shared items like the TV remote. Folder permissions work like a set of rules you write on each cabinet. You can say that only you can open your cabinet and take things out, or that certain friends can look inside but cannot touch anything. You might also allow a specific roommate to add new items but not remove anything. In the computer world, folders are those cabinets, and permissions are the rules written on them. The operating system, like Windows or Linux, enforces these rules every time someone tries to open a folder. If a person does not have the right permission, the system blocks them. This system prevents accidents, like someone deleting an important report, and stops unauthorized people from viewing private files. Folder permissions are part of a larger security framework called access control, which also includes file permissions and user accounts. In schools, offices, and even home computers, they keep data organized and safe from prying eyes or accidental changes.

## Technical definition

Folder permissions are a fundamental component of access control in operating systems, governing the level of access that users and groups have to directories. In Windows, these permissions are managed through the New Technology File System (NTFS) and are defined by access control entries (ACEs) stored in a discretionary access control list (DACL). Each ACE specifies a security identifier (SID) for a user or group and the type of access granted, such as read, write, modify, or full control. The permissions are inherited from parent folders by default, unless explicitly blocked, which simplifies administration in deep directory structures. Common NTFS folder permissions include List Folder Contents, Read, Read & Execute, Write, Modify, and Full Control. List Folder Contents allows viewing the names of files and subfolders but not their contents. Read permits viewing and opening files, while Read & Execute adds the ability to run executable files. Write allows creating new files and subfolders inside the folder. Modify combines Read & Execute with the ability to delete the folder and its contents. Full Control grants all permissions, including the ability to change permissions and take ownership.



In Unix-like systems, including Linux and macOS, folder permissions are based on a simpler model using three categories: owner, group, and others. Each category has read (r), write (w), and execute (x) permissions. For directories, read permission allows listing the directory contents, write permission allows creating or deleting files within the directory, and execute permission allows entering the directory and accessing its files. This model is implemented using inodes and permission bits, which are nine bits total (three for each category). The command 'chmod' changes permissions, and 'ls -l' displays them. For example, the permission string 'drwxr-xr-x' indicates a directory where the owner has full access, the group can read and enter, and others can also read and enter. Advanced features like setuid, setgid, and sticky bits add extra control. The setgid bit on a directory causes new files to inherit the group of the directory, which is useful for shared project folders. The sticky bit, commonly used in /tmp, prevents users from deleting files they do not own.



In enterprise IT environments, folder permissions are often managed through group policies in Active Directory for Windows or through sudoers and ACLs (Access Control Lists) in Linux. ACLs extend the basic Unix model by allowing permissions for multiple specific users or groups. Windows also supports share permissions for folders accessed over a network, which combine with NTFS permissions to determine effective access. The most restrictive permission applies when both share and NTFS permissions are evaluated. Understanding folder permissions is critical for system administrators to enforce the principle of least privilege, ensuring users have only the access needed for their roles. Misconfigurations can lead to security vulnerabilities, data breaches, or operational disruptions.

## Real-life example

Think of a public library with several study rooms. Each room has a door with a lock, and the librarian has a master key. The library rules are like folder permissions. Some rooms, like the quiet reading room, are open to everyone. Anyone can walk in and sit down. That is like a folder with read permission for everyone. Other rooms, like the staff office, are locked and only employees with a special badge can enter. That is like a folder that only a specific group can access. Now consider a research room where a team is working on a project. The team leader gives each member a key that lets them enter and use the computers. But only the leader can rearrange furniture or bring in new equipment. In computer terms, team members have read and write permissions, but the leader has full control. If a student tries to enter the staff office without a badge, the door stays locked. Similarly, if a user without permission tries to open a protected folder, the operating system denies the request. This analogy shows how permissions control access at different levels, like a building with multiple rooms, each with its own entry rules. The librarian (the operating system) checks every person's badge (their user account) against the rules for each door, ensuring only authorized people get in. If someone loses their badge, they cannot enter until a new one is issued, just like an IT admin granting permissions to a new user account.

## Why it matters

Folder permissions matter because they are the first line of defense against unauthorized access to sensitive data in any IT environment. Without proper permissions, any user on a system could read, modify, or delete critical files, leading to data loss, privacy breaches, or system instability. In corporate networks, employees often share folders for collaboration, but each person should only see what is necessary for their job. For example, a human resources folder containing salary information must be restricted to HR staff only, while the finance team should have their own folder for budgetary data. Permissions also help maintain data integrity by preventing accidental changes. A user editing a shared document might unintentionally delete important content, but if the folder is set to read-only for that user, the damage is avoided. In regulated industries like healthcare or finance, compliance standards such as HIPAA or PCI DSS require strict access controls, making folder permissions a legal necessity. System administrators must regularly audit permissions to ensure they align with organizational policies. Permissions affect system performance and scalability. Incorrectly set permissions can lead to access denied errors, frustrating users and increasing helpdesk tickets. Understanding how to set and troubleshoot folder permissions is a core skill for IT support roles, as misconfigurations are a common source of issues. Finally, folder permissions tie into broader security concepts like authentication, authorization, and auditing, forming a foundational piece of cybersecurity knowledge.

## Why it matters in exams

Folder permissions are a recurring topic across multiple IT certification exams because they represent a practical, testable aspect of operating system security and administration. In CompTIA A+ (220-1102), candidates must understand how to configure NTFS permissions on Windows, including setting permissions, inheritance, and effective permissions. Exam questions often present a scenario where a user cannot access a shared folder, and the candidate must identify whether the issue lies with NTFS permissions or share permissions. For CompTIA Network+, folder permissions appear in the context of network security and shared resources, though the focus is more on share-level permissions and network access control. CompTIA Security+ covers folder permissions under access control models, including DACL, MAC, and RBAC, along with the principle of least privilege. Questions may ask which permission set minimizes risk for a specific user. For Linux+ or LPIC exams, candidates must know the numeric and symbolic permission modes, how to change them with chmod, and how ACLs extend basic permissions. Microsoft certifications, like Microsoft 365 Certified: Modern Desktop Administrator Associate (MD-100), include configuring and troubleshooting folder permissions, controlling inheritance, and auditing access. In the AWS Certified Cloud Practitioner exam, folder permissions translate to S3 bucket policies and IAM roles, though the core concept remains control over resource access. Exam questions often test the difference between basic permissions (read, write, execute) and advanced permissions (full control, modify), as well as the effects of permission inheritance. Scenario-based questions are common: a manager needs to give a team member permission to add files but not delete existing ones. The correct answer would be to assign write permission rather than full control. Another common question type involves troubleshooting access denied errors by checking effective permissions. Understanding how to calculate effective permissions when a user belongs to multiple groups is critical. Exams may cover the impact of moving or copying folders: copied files retain the permissions of the destination folder, while moved files keep their original permissions. Mastery of these details is essential for exam success.

## How it appears in exam questions

Exam questions on folder permissions typically appear in three formats: scenario-based, configuration, and troubleshooting. In scenario-based questions, you are given a real-world situation and asked to choose the correct permission to achieve a specific goal. For example, a question might state: 'A user needs to be able to read and delete files in a shared folder, but not change permissions. Which permission should you assign?' The answer would be Modify, which includes delete but not full control. Another scenario: 'You have a folder that contains budget spreadsheets. The finance team needs to see the files, but only the manager should be able to edit them.' The correct approach is to give the finance team Read permission and the manager Write permission. In configuration questions, you may need to apply permissions using a graphical interface or command line. For Windows, this could involve navigating the Security tab in folder properties, adding a user, and selecting the appropriate checkboxes. For Linux, you might be asked to use chmod to set permissions so that the owner has full access, the group can read and execute, and others have no access. The answer would be 'chmod 750 /path/to/folder'. Troubleshooting questions present an error scenario, such as 'A user reports that they can see the folder but cannot open it. What is the most likely cause?' The answer would be missing execute permission on a Linux directory or lacking the Read & Execute permission in Windows. Another common troubleshooting pattern involves permission inheritance. A question might describe a parent folder with full control for a user, but a subfolder that the user cannot access. The issue is that the subfolder has explicit deny permissions that override the inherited allow. Candidates must know that explicit deny takes precedence over allow. Questions about effective permissions are also frequent. For instance, if a user is in two groups, one with Read and one with Write, the effective permission is the combination, so both Read and Write apply. But if one group has Deny Write, then deny overrides, and the user cannot write. Exams also test the difference between share permissions and NTFS permissions. A typical question: 'A shared folder on an NTFS volume allows Read share permission and Full Control NTFS permission. What is the effective permission for a user accessing the folder over the network?' The correct answer is Read, because the most restrictive permission applies. These patterns repeat across exams, so practicing them is key.

## Example scenario

You are the IT administrator for a small marketing agency called AdPro. The company has three departments: Creative, Sales, and Admin. Each department has its own shared folder on the office server. The Creative team has a folder named 'Campaign_Assets' containing images, videos, and design files. The Sales team has a folder called 'Client_Proposals', and Admin has an 'Employee_Records' folder with sensitive HR documents. One day, a new employee named Sam joins the Creative team. Sam needs to view and download the design files in Campaign_Assets to work on a client project. However, Sam should not be allowed to delete any files because that could ruin a campaign in progress. Also, Sam must not see any HR records or client proposals from other departments. Youlog into the server as an administrator and navigate to the Campaign_Assets folder properties. Under the Security tab, you add Sam's user account to the permissions list. You check the 'Read & Execute' and 'Read' permissions, but leave 'Write' and 'Modify' unchecked. This gives Sam the ability to open and copy files, but not to delete or change them. Next, you verify that Sam does not have any permissions on the Employee_Records or Client_Proposals folders. You check those folders' security settings to confirm Sam is not listed at all. To be thorough, you also check the 'Effective Access' tab in the Advanced Security settings for Campaign_Assets. This tool simulates Sam's access and confirms that Sam can read and execute but not write. A week later, the Creative director asks why Sam cannot delete a file that is no longer needed. You explain that the folder permission intentionally prevents deletion to protect ongoing work. The director can delete the file herself because she has Full Control. This scenario illustrates how folder permissions can be tailored to match job responsibilities. Sam has the access needed to do the job, but no more. This follows the principle of least privilege and prevents accidental data loss. The same approach applies to all users in the company, ensuring that only the HR manager can see employee files, only salespeople can modify proposals, and creative staff can access their assets without risk.

## Common mistakes

- **Mistake:** Giving Full Control to all users on a shared folder
  - Why it is wrong: Full Control allows users to delete files, change permissions, and take ownership. This can lead to unauthorized deletions or security breaches.
  - Fix: Assign only the necessary permissions. For most users, Read or Modify is sufficient. Reserve Full Control for administrators or folder owners.
- **Mistake:** Confusing NTFS permissions with share permissions when accessing folders over a network
  - Why it is wrong: Share permissions are applied at the network share level and limit access before NTFS permissions are checked. The effective permission is the most restrictive of the two.
  - Fix: When setting up shared folders, remember that the user's effective permission is the more restrictive between share and NTFS permissions. Set share permissions to Full Control and control access using NTFS permissions for simplicity.
- **Mistake:** Assuming that moving a folder within the same volume preserves permissions
  - Why it is wrong: When a folder is moved within the same NTFS volume, it retains its original permissions. But if it is copied or moved to a different volume, it inherits the permissions of the destination folder.
  - Fix: Before moving or copying a folder, decide whether you want to keep or inherit permissions. Use move for preserving permissions on the same volume, and copy with caution on different volumes.
- **Mistake:** Forgetting to check effective permissions for users who belong to multiple groups
  - Why it is wrong: A user may have permissions from both individual assignments and group memberships. An explicit deny in any group overrides any allow from other groups, leading to unexpected access denial.
  - Fix: Always use the Effective Permissions or Effective Access tool in the operating system to verify what a user can actually do, especially when they belong to several groups.
- **Mistake:** Setting permissions only on files and ignoring folders
  - Why it is wrong: Permissions on a folder control access to its contents by default. If a folder has restrictive permissions but files inside have permissive ones, users still cannot access the files because they cannot list or enter the folder.
  - Fix: Always set permissions at the folder level first. Use inheritance to propagate permissions to subfolders and files, ensuring consistent access.

## Exam trap

{"trap":"When a question asks for a permission that allows a user to create files but not read them, the wrong answer is often Write because it allows writing but denies reading.","why_learners_choose_it":"Learners think Write only allows adding files, but in both Windows and Linux, Write permission on a folder also includes the ability to create files. However, if a user only has Write without Read, they can create files but cannot see the list of files in the folder. This is counterintuitive because you cannot verify the file was created without Read.","how_to_avoid_it":"Remember that folder permissions in Windows and Linux are independent. Write permission allows creating files, but Read is required to see the directory listing. In exam scenarios, always consider what the user needs to see versus what they need to create. For a user who needs to drop files into a folder but never browse it, set Read to Deny and Write to Allow."}

## Commonly confused with

- **Folder permission vs File permission:** File permissions apply to individual files, while folder permissions apply to directories and their contents by default. Folder permissions can control access to files inside them through inheritance, but file permissions can override folder permissions if explicitly set. For example, a folder may allow Read, but a specific file within it may deny Read to the same user. (Example: A user can enter a folder (execute permission on the folder) but cannot open a specific file because the file has a deny permission for that user.)
- **Folder permission vs Share permission:** Share permissions are used when a folder is accessed over a network via a shared folder. They are separate from NTFS permissions and are simpler, with only Read, Change, and Full Control. NTFS permissions are more granular and apply regardless of whether access is local or remote. When both are used, the effective permission is the more restrictive one. (Example: A folder has NTFS Full Control for a user but the share permission is set to Read. When the user accesses the folder over the network, they can only read files, not modify them.)
- **Folder permission vs Ownership:** Ownership is the state of being the original creator or a transferred owner of a folder. The owner can always change permissions, even if they are denied access by others. Permissions, on the other hand, are rules that can be set by the owner or an administrator to control access for other users. (Example: John creates a folder and is the owner. Even if John accidentally sets a deny permission for himself on that folder, the ownership allows him to take ownership back and regain full access.)

## Step-by-step breakdown

1. **Identify the folder and its purpose** — Determine which folder needs permissions and what it will be used for. For example, a project folder for a team needs collaboration, while an HR folder needs strict restriction. Knowing the folder's role guides the permission assignment.
2. **Determine the users and groups that need access** — List all users or groups that require access to the folder. In an IT environment, use groups rather than individual users to simplify management. For example, create a group called 'ProjectTeam' and add members, then assign permissions to the group instead of each user.
3. **Choose the appropriate permission level for each user or group** — Based on job duties, assign the least permissive level that still allows the required tasks. For read-only access, choose Read. For adding files, choose Write. For full editing, choose Modify. Avoid Full Control unless the user needs to manage permissions.
4. **Apply the permissions and configure inheritance** — In Windows, use the Security tab to add users/groups and set permissions. Decide whether permissions should apply to subfolders and files. By default, they do. To prevent inheritance, use the 'Disable inheritance' button and choose to convert or remove existing inherited permissions.
5. **Verify permissions using effective access tools** — After setting permissions, use the system's built-in tool to verify what a specific user can do. In Windows, go to Advanced Security Settings and click 'Effective Access' to enter a user name and see their effective permissions. This catches mistakes like conflicting group memberships.
6. **Test the access with a real user account** — Log in as the test user and attempt to perform the expected tasks, such as opening a file, creating a new file, or deleting a file. This practical test confirms the configuration works as intended and helps identify any overlooked deny rules.
7. **Document the permission settings** — Record the folder path, users/groups, permissions assigned, and the date. This documentation is crucial for audits, troubleshooting, and future changes. In IT, undocumented permissions can lead to confusion and security gaps.

## Practical mini-lesson

Folder permissions are a daily concern for IT professionals, whether you are setting up a new shared drive, troubleshooting an access denied error, or auditing security. Understanding how to implement them correctly starts with knowing the available permission levels and their real-world effects. In Windows NTFS, the most commonly used permissions are Read, Read & Execute, List Folder Contents, Write, Modify, and Full Control. Each permission is a combination of special permissions like Traverse Folder, List Folder, Create Files, Delete, and Change Permissions. For instance, Write permission includes Create Files, Create Folders, and Write Attributes, but not Delete. This granularity allows fine-tuned control. In practice, when a new employee joins, you would add their user account to the appropriate Active Directory group, which already has the correct folder permissions. Group-based management reduces administrative overhead and ensures consistency.



In Linux, the permission model is simpler but equally important. The three basic permissions are read (r), write (w), and execute (x). For directories, execute permission is essential to enter the directory. Without it, a user cannot access any files inside, even if file permissions allow it. This leads to a common mistake: setting 644 permissions on a directory, which gives read and write to the owner but no execute to anyone. This effectively locks everyone except the owner out of the directory. The correct permission for a shared directory is often 755 (rwxr-xr-x) or 775 (rwxrwxr-x) for group collaboration. The command chmod is used to change permissions. For example, chmod 755 /data/project sets owner to rwx, group to r-x, and others to r-x. The chown command changes the owner and group, which is important when a folder is created by the wrong user. Using ACLs with setfacl gives more flexibility, such as allowing a specific user write access without changing the group permissions.



Configuration context also involves inheritance. In Windows, inherited permissions are shown as grayed out checkboxes. If you need to add a special permission for a subfolder without affecting the parent, you can break inheritance and then set explicit permissions. However, breaking inheritance can create a management burden because future changes to the parent will not propagate. A better practice is to use groups and avoid nested exceptions when possible. What can go wrong includes accidental deny entries, which always override allow. For example, if a user is denied write on a parent folder but allowed write on a subfolder, the deny prevails because effective permissions are evaluated with deny first. Also, moving folders between volumes can silently change permissions, leading to unintended access. Professionals should always verify permissions after any move or copy operation. Finally, auditing permissions is a critical skill. Tools like icacls in Windows or getfacl in Linux can list all permissions programmatically. Regular audits help detect permission creep, where users accumulate more access than needed over time.

## Memory tip

Think of folder permissions as a key ring: each key (permission) opens a different lock (action). You only hand out the keys people need for their job.

## FAQ

**What is the difference between folder permissions and file permissions?**

Folder permissions apply to the directory itself and can control access to the files inside through inheritance. File permissions apply only to a specific file. If a file has a deny permission for a user, it overrides any allow from the folder.

**Can I set folder permissions without being an administrator?**

No, typically only administrators or the owner of the folder can change permissions. In Windows, you need Full Control or the 'Change Permissions' special permission. In Linux, you must be the owner or have sudo privileges.

**What happens to permissions when I copy a folder to a different drive?**

When you copy a folder to a different drive, it inherits the permissions of the destination folder. The original permissions are not preserved. Moving a folder within the same drive retains the original permissions.

**How do I check what permissions a user has on a folder?**

In Windows, right-click the folder, go to Properties, Security, Advanced, and click Effective Access. Enter the user name and click View effective access. In Linux, use the command 'ls -ld foldername' to see the owner, group, and basic permissions, or 'getfacl foldername' for ACLs.

**What is the difference between share permissions and NTFS permissions?**

Share permissions are applied at the network share level and only affect users accessing the folder over the network. NTFS permissions apply whether access is local or remote. When both are used, the effective permission is the most restrictive one.

**Why would a user see 'Access Denied' on a folder even though they have Read permission?**

This can happen if the user lacks the 'List Folder Contents' or 'Read & Execute' permission, which is required to view and enter the folder. In Linux, the folder must have execute permission for the user to enter it. Also, a deny entry for that user may exist.

## Summary

Folder permissions are the rules that control who can access and interact with directories on a computer system. They are a fundamental part of operating system security, ensuring that only authorized users can view, modify, or delete folders and their contents. Understanding folder permissions is essential for any IT professional because they appear in everyday tasks like setting up shared drives, troubleshooting user access issues, and auditing security. The concept is tested on major certification exams including CompTIA A+, Network+, Security+, Linux+, and various Microsoft and AWS certifications. Exam questions focus on permission levels, inheritance, effective permissions, and the difference between share and NTFS permissions. Common mistakes include giving too much access, mixing up share and NTFS permissions, ignoring inheritance, and forgetting to check effective permissions when users belong to multiple groups. A key exam trap is the assumption that Write permission includes the ability to read the folder contents, which is false without also assigning Read. By mastering folder permissions, you gain confidence in managing user access securely and efficiently. This knowledge also lays the groundwork for more advanced topics like access control lists, group policies, and cloud storage permissions. Always apply the principle of least privilege, verify with effective access tools, and document your settings. With these practices, you can prevent security breaches and ensure smooth operations in any IT environment.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/folder-permission
