Imagine what would happen if any of the following were to occur: Someone publicizes the company compensation spreadsheet or the contents of the HR files.
In a word, it’s a nightmare. You’re now likely to have to justify why so and so is compensated at a higher rate, or potentially liable for accidental disclosure of sensitive personal information.
Who is allowed to access your paper files? Are they wide open for all staff to peruse? Electronic files should be protected from unauthorized access. They should be secured and only those with a ‘need to know’ should have access.
In many situations, three different levels of access permissions can help prevent this situation:
Public – anyone in the company can and should have access. Public information, Sales & Marketing material (final) and the like.
Limited Groups – Usually by Department and/or location.
Individual – Users have access individually – individual work products in progress, research items, etc.
When developing these different levels using whatever makes the most sense for your organization, here are some other things to consider: Retention periods, how to handle the ‘unique’ or the ‘exception to the rule’
In any case, it isn’t recommended to create a structure where different permission levels are nested, although that is certainly possible. Consider what would happen if permission levels were modified at a subordinate folder level and suddenly the CEO couldn’t access his daily report on employee productivity. This is only one example.
Other Key points:
It is NOT recommended to remove the administrators or the System from having permissions. In the former case, if one were to lose access to the files, then no one would have access. In the latter case, the system needs access to files to be able to back them up.