Understanding Effective Permissions

How do effective permissions arise? Which factors are considered by Docusnap365 – and which are not?

  2 minute read  

Introduction

In complex IT environments, it’s not enough to know which permissions are directly assigned or inherited — what really matters is what is effectively applied. Docusnap365 determines a user’s effective permissions by compiling and evaluating all relevant influencing factors.

What Are Effective Permissions?

A user’s or group’s effective permissions result from a combination of several layers:

  1. Share Permissions

    • Control access to network shares (\\server\share)
    • Act as a limit: NTFS full control has no effect if the share only allows “Read”

  2. NTFS Permissions

    • Directly assigned (explicit) rights on a folder or file
    • Inherited rights from parent objects

  3. Group Memberships

    • Fully resolves direct and nested group memberships
    • Includes Foreign Security Principals, if resolvable

  4. Inheritance Context

    • Whether and how permissions are passed down or broken
    • Combined with inheritable permissions (e.g., “This folder only,” “Folder, subfolders and files”)

Docusnap365 evaluates all these layers and calculates the actual impact — per principal and per directory level.

What Is Considered?

Included in the calculation:

  • NTFS ACLs including explicit and inherited rights
  • Groups and nested group memberships
  • Inheritance information (including disabled inheritance)
  • Share permissions
  • Resolved SIDs (including Foreign Security Principals if AD data is available)
  • Validity of users (e.g., disabled accounts)

Example: Different Origins, Same Effect

A user can gain the same effective rights through multiple paths:

  • Direct NTFS permission (“Modify”) on a folder
  • Membership in an AD group that inherits “Modify”
  • Combination of “Read” via NTFS + “Write” via share

Docusnap365 calculates an effective overall right from these paths and displays it in tabular form — currently without tracing where exactly the right originated.

Note: The detailed origin of a permission — that is, the exact source of an individual right — will be added in a future release. This will reveal whether a permission originates from an AD group, inheritance, or an explicit ACL entry.

The goal is not only to present the current state — but also to provide transparent tracing of how and from where a specific permission is derived.