File Access Rights Setup in Bitrix24
The sales department sees payroll records. An intern has access to strategic documents. A former employee still opens files through a saved link. All of this stems from one mistake: file access rights are not configured. By default, Bitrix24 grants broad access, and without explicit setup, corporate documents are available to the wrong people.
Access Model in Bitrix24
File and folder permissions work on multiple levels:
| Level | Defines | Configured In |
|---|---|---|
| Company Drive | Access to root folders | Drive Settings → Access Rights |
| Workgroup | Access to group/project files | Group Settings → Members and Roles |
| Folder | Access to specific folder and contents | Folder context menu → Access Rights |
| File | Access to individual file | File context menu → Access Rights |
Levels cascade downward: if the marketing department has access to the "Marketing" folder, all nested folders and files are accessible to that department. Inheritance can be broken at any level—set custom rights for a subfolder.
Permission Types
Bitrix24 distinguishes several levels of file access:
- Full access—read, edit, delete, manage permissions. For department heads and admins.
- Edit—read and modify content. Cannot delete others' files or change permissions.
- Read-only—view and download. Cannot make changes.
- No access—explicit denial. Used to exclude a specific employee or department from inherited access.
Setup by Company Structure
The most effective approach: assign permissions not to individuals but to departments and roles. When an employee moves between departments, their access updates automatically.
Example access matrix:
| Folder | Leadership | Accounting | Sales | Marketing |
|---|---|---|---|---|
| Finance | Full | Full | None | None |
| Proposals | Read | None | Full | Read |
| Marketing Materials | Read | None | Read | Full |
| Regulations | Read | Read | Read | Read |
Public Links and External Access
Employees often share files via public links—convenient but risky. A link works without authentication: anyone with it can download the file.
What we control:
- Ban public links for certain folders—financial documents, HR records, strategy
- Link expiration—the link automatically deactivates after N days
- Password protection—additional barrier when sharing files with external parties
- Sharing log—who made which file public and when
Access Audit
We set up monitoring of file activities:
- Who opened a file and when
- Who downloaded, edited, deleted
- Who changed access rights
- Who created public links
This data is available to admins through the event log. For critical folders, we configure alerts: if someone changes rights on the "Finance" folder, the admin gets notified in chat.
What We Configure
- Access rights matrix by department and role
- Rights inheritance hierarchy with point exceptions
- Public link policy: restrictions, expiration dates, passwords
- File action audit and notifications on rights changes
- Rules for external users (extranet)—access only to project folders
- Employee instructions on rights management and file sharing