Folder Access Control
FolderAccessControl and FolderUserPermission let you restrict which projects a user can see, based on the project folder the project lives in.
Why Folder-Level?
Role-based permissions say what a user can do. Folder ACLs say where a user can do it. Common use cases:
- Regional teams only see regional projects.
- Sensitive client folders restricted to a named set of users.
- Graduate / trainee users limited to sandbox folders.
Entities
| Entity | Purpose |
|---|---|
FolderAccessControl | Defines whether a folder is access-controlled at all. Defaults to open. |
FolderUserPermission | A user's role for a specific folder. |
Setting Up
- Admin → Folders → Select a folder → Enable Access Control.
- Add users; pick their role within the folder:
- Viewer — can read projects inside.
- Editor — read / edit.
- Approver — Editor + mark Approved / Complete.
- Owner — full control including managing permissions.
- Save.
Inheritance
A sub-folder inherits its parent's ACL unless overridden. An override is created when you enable access control on the sub-folder.
Interaction with Project Permissions
Folder ACL and ProjectPermission (per-project overrides) compose:
- Folder ACL sets the baseline access.
- Project permissions override for individual projects.
If both apply, the more permissive wins. This matches the common intent — if you've been explicitly granted rights to a project, folder restrictions shouldn't block you.
Bypass
Administrators always bypass folder ACLs. Their actions are still logged.
Denying Access Explicitly
A FolderUserPermission with role None explicitly denies access — useful to block a user from a single folder inside a broadly open parent.
Common Patterns
Regional Access
Parent folder 2026 Tenders open to everyone. Sub-folders Asia, Europe, Americas each have ACLs scoped to regional teams. Users in multiple regions get entries in multiple sub-folders.
Client Confidentiality
A Confidential — Client X folder with only a named partner list. The folder tree is opaque to everyone else — they don't even see its existence.
Graduate Sandbox
A Sandbox folder open to everyone, while production folders are locked to seniors. Graduates practise in the sandbox.
Reporting
Admin → Folder Access Report shows a matrix of users × folders with their effective role. Use to audit access before a client visit or regulatory review.