As a result of a number of incidents over the past year or so, and to align ourselves with generally accepted industry best practices, a decision was made to only grant "full control" folder access to system processes (the "System" account, Backup Operators, etc.) and  a select group of senior network administrators.  

How to request or modify folder access

To request folder access, or to restrict folder access, please have the owner of the folder (or in the case of a departmental shared folder, a manager or higher from the department) contact Computer Services by email or online service request (phone calls are not accepted in this case as we do need the request to come in writing from only authorized people as identified above).

Why did we change it from the way it used to be?

To give you some examples as to why this decision was made, we have experienced some incidents of permanent data loss because system accounts (like the backup account) had removed by "Full Control" users which prevented backups from happening. Thus, when we tried to restore the files from backups, the backups weren't there. 

We have also encountered numerous examples of permissions being improperly applied (granting access to users instead of groups, inherited permissions not being filtered, etc.) such that the security of the data becomes questionable and we (as in the senior network admins) are often locked out of folders to the point that we can only resolve access issues by taking what I refer to as "heroic" means which are time-consuming and result in temporary loss of access for those who use the folder.

As mentioned previously, this move was to ensure that our data is backed up properly and that access control permissions are applied in a more standard way that is consistent with security best practices.     It also means that the senior network admins have the access they need so that they can assist with any issues that arise with any specific folder including advanced measures like setting up access auditing or restricting inherited permissions.  We realise that it may seem a bit bothersome to have to create a Computer Services ticket to have folder permissions set but we assure you that we give these tickets prompt turn-around.