The content of this blog is my personal opinion only. Although I am an employee - currently of Nvidia, in the past of other companies such as Iagination Technologies, MIPS, Intellectual Ventures, Intel, AMD, Motorola, and Gould - I reveal this only so that the reader may account for any possible bias I may have towards my employer's products. The statements I make here in no way represent my employer's position, nor am I authorized to speak on behalf of my employer. In fact, this posting may not even represent my personal opinion, since occasionally I play devil's advocate.

See http://docs.google.com/View?id=dcxddbtr_23cg5thdfj for photo credits.

Monday, May 21, 2018

I want to like Windows Controlled Folder Access, but ...

'via Blog this'

I want to like Windows Controlled Folder Access.  Essentially, restriction of access not just by user or group, but also by app.

But, of course, Microsoft made it so simplistic that gets in the way of my usage model.

For example:

  • Lack of Exclusion
    • There are protected folders.  This is good.   
    • You can add more protected folders.  This is also good.
    • But you can't EXCLUDE subfolder trees from protection.
    • This is bad..
    • My usage model:
      • I do a lot of my work in subfolders of Desktop.
      • I do a lot of my work using ad-hoc tools, like Perl and Cygwin
      • I would LIKE most of Desktop to be protected.
      • But I would like to allow all or most, at least a large number, of cygwin apps to have access to subfolder trees such as Desktop/Work-In-Progress
  • Apps are given all or nothing access
    • You can add apps to the permitted list. This is good.
    • But when you do so, the app is allowed to access all Cntrolled Folders. This is bad.
    • E.g. I would like EMACS to be able to access my working areas, like Desktop/Work-In-Progress.  
    • But I would like to disallow EMACS from accessing, say, system folders, or Music, or ...
    • Instead it's all or nothing. :-( 
  • Apps are individual
    • You can add apps to the permitted list. This is good.
    • But you have to add them one by one. This is bad.
    • E.g. I use cygwin.   I would like to add C:/Cygwin/bin/* to the permitted list.
      • But that is too much of a pain, so I just disable Controlled folders
Basically, app permissions are just like user permissions.  They need the same flexibility.

Controlled Folders does not.


This feels very much like Microsoft's initial, >10 years long approach to evolve network share permissions.

I hope that app permissions do not take so long.

No comments: