Lion Server - Nested sharepoint and/or 'deny' ACL's
I've been having some issues with setting sharepoint & subfolder access for a specific purpose.
The setup is three sharepoints; 'General', 'Management' and 'Finance'.
As expected all employees have access to the 'General' sharepoint, the finance group have access to 'Finance' and the management group have access to everything including the 'Management' sharepoint.
So far so good.
However, there's a requirement to be able to give subcontractors access to specific subfolders in the 'General' sharepoint.
In Snow Leopard you had a number of ways to accomplish this. Either by 'deny' ACL's or simply by making the subfolder a sharepoint of it's own.
However, neither of these options seem to work in Lion Server.
Firstly, 'deny' ACL's does not exist (other than via command line) - I've read that Server app can modify existing deny ACL's, but not create them. I have however not been able to get this to work as I can't seem to see the difference between if an ACL is of 'deny' or 'allow' type via Server app.
Secondly, the 'sharepoint within a sharepoint' does not work if you don't give the user/group access to the topmost sharepoint, which defeats the purpose since the subcontactor is only to access a specific subfolder - not everything above this folder.
Granted, I can set 'read' access for the subcontractor to the 'General' sharepoint and leave 'read' off for any subfolders apart from the one to be accessed and grant the subcontractor 'full control' to that specific folder.
BUT - the problem comes in when a new folder is created within the sharepoint. Due to inheritance, the subcontractor will gain access to any new folders created after the inital setting of permissions.
Here's an example outline of the folder structure:
Red - for subcontractor access
Sharepoint_1
Area_A
A_Project_1
A_Project_2
Area_B
B_Project_1
B_Project_2
B_Subproject_1
B_Subproject_2
B_Subproject_3
Area_C
C_Project_1
C_Project_2
Suggestions for how to accomplis this will be greatly appreciated!