Issue with Box permissions

Hi, I’m part of an IT company and one of our clients has been using Box since before we started managing them. We’ve been trying to handle an issue with the permissions and so far, we haven’t been able to find a good solution. Box support was not helpful, and I spent some time learning the CLI, but I’m still struggling to figure anything out. Anyways, here is the problem:

The file structure that they have set up does not work with the way Box handles permissions. The situation is they have a folder titled “Human Resources”. In this folder there is an “Employees” folder and each employee of the company has their own subfolder. Within each employee’s folder, there are two subfolders. One of these subfolders is called “Confidential” and should only be accessed by HR. The other subfolder is “Personnel” and should be accessed by HR and Accounting.

Since Box forces their waterfall/inheritance permissions model, we are not able to make this work. If we give read access for Accounting to the “Employees” folder, they get read access to the “Confidential” folders for each employee as well. If I only give Accounting access to the “Personnel” folder for each employee, they will just see hundreds of folders titled “Personnel” with no idea who they belong to.

The only solution we have been able to come up with so far is to completely restructure the Human Resources folder by creating “Confidential” and “Personnel” folders, each containing a folder for every employee. This is not ideal since it would cause confusion for the client and with the size of the company, we would probably have to hire someone to write a script to complete this task. This is assuming that something like this could be completed with CLI and PS scripts.

Is this the only solution, or is there something we are missing? Thanks in advance for the help!

Hello! :wave:,

You are correct in that Box follows waterfall permissions. There is no way to get around that piece.

You could certainly write a PS script that does what you are looking to do… but depending on the size of the folder tree, it might be better to write something using Python or Node since the SDKs have better error handling.

What if instead of calling the employee subfolders Confidential and Personnel, they were instead called Confidential - Unique Employee Identifier and Personnel - Unique Employee Identifier? You would still only collab accounting into the Personnel and HR into the Unique Employee Identifier parent folder. Would that still cause confusion?

Alex, Box Developer Advocate :avocado: