There are many ways to set up and manage your folder permissions in Triofox. But, while there isn't necessarily a right or wrong way of managing the Allowed Users and Folder Permissions, the method that you choose will greatly affect the amount of folder management and maintenance for your organization.
With Windows permissions, network administrators usually like to leave shares open and then tighten the security with granular NTFS permissions on the Security tab. Using this as an analogy, here is how you can manage the permissions in Triofox:
1-Use the Allowed Users page as you would use the Microsoft Windows Sharing permissions window.
The Access Control tab from the Triofox Server Management Console can be compared to the Share permissions window in Microsoft Windows. Therefore, the recommendation is to simply grant read-write control to "everyone," "all AD users," or any custom group that involves a predefined set of users.
2-Use the Folder Permissions page as you would use the Microsoft Windows Security window.
The Folder Permissions page from the Server Management page can be compared to the Security tab from the Microsoft Windows folder properties page. The simplest set up possible is not to have any Folder Permissions at all so that all entities defined by the Allowed Users will simply have full-control to the folder. However, if you need granular control with separate permissions for list, read, write, delete, share, and deny, then you can do this from the Folder Permissions page.
Once one or more entities have been added to the Folder Permissions, ONLY those entities will be granted access. For example, if the Allowed Users page contains the "All AD Users" (All Active Directory Users) built-in group, but the Folder Permissions contains a single AD user, then only the specified AD user will be allowed into the folder. If you specify any non-AD users here, they will be denied access at the All Users level.
3-Use Groups whenever possible.
You can create your own groups in Triofox, or import groups from Active Directory. Groups can be used to organize the users into departments. Once you have your groups assigned to either the Allowed Users and/or Folder Permissions of your Server, then you could simply add or remove users to the groups in order to grant or deny access to many folders at once without physically having to edit the permissions for each folder and sub-folder.
4-Use Deny Folder Permissions in conjunction with Groups.
When you click on the green plus-sign next to an entity on the Folder Permissions page, you turn the grant permission into a deny. Deny always overrides grant. This allows you to have some interesting setups, such as adding a group with a green plus sign (grant), and then adding one of the users from the group with a red minus sign (deny). In other words, grant access to everyone from the group, except one of the users.
If you deny an entity, the check-boxes become deny attributes. For example: a negative sign in front of Trifox Testuser with all attributes unchecked is equivalent to the rule not being there at all (i.e. Trifox Testuser won't be given any denied rights). Furthermore, a negative sign in front of Trifox Testuser with only Write and Delete checked off means that Bob will be denied only Write and Delete rights, but will still be able to List, Read and Share.