I hope I can explain it in an understandable way, because I don't really understand myself why this feature works the way it does. It is a little bit complicated to understand.
I have a root folder for some purpose where all sub folders are inheriting permissions from its nested Password Lists but i do not want to change the folder tree structure by anyone (Adding new folders, renaming folders, deleting folders etc.).
To illustrate my problem let's call the root folder "Company". This root folder has two sub folders called "Finance" and "IT".
If an employee now creates a private or shared password list in the sub folder "IT" or "Finance", this employee automatically receives admin rights to this password list. This is still okay for me.
But at the same time this employee also gets admin permissions to the root folder "Company" through inheritance. Although this employee had no rights to the root folder before, he can now edit this folder, change the permission model etc. (And also lock out all other employees).
If i change the folder permission model to "Manage permissions manually for this folder", i can rule out this problem, but i cannot grant different permissions to different employees/groups on the sub folders and password lists.
In case of shared password lists you can still assign the permissions by yourself. But as soon as an employee creates a private password list for himself, he automatically gets administrative access to the folders above and can change settings that he was not allowed to change before. How can i prevent this?
I do not want "IT" employees to have access to lists or sub folders of the "Finance" department and I do not want "Finance" or "IT" employees to be allowed to change anything in the folder structure. In this case, am I really not allowed to use sub folders under root level maintenance? So I should create "Finance" and "IT" directly in the root level?
I have already changed the settings, that on root level nobody except a certain group of people may create password lists and folders, but this option only counts for the root level.
In general I don't want to forbid the creation of password lists and folders via the settings (Set Permissions).
Therefore my question: How is it possible that I can define a folder structure in which people can create password lists and folders according to predefined permissions BUT cannot get any rights on a higher level which they did not have before.
If you have any questions or if you want me to explain something more detailed, please let me know.
Thanks in advance,