Hello - I'm trying to hide the Files and Images tab from our users because I can't allow them to delete other user's files or replace them (we can put group sharing and mapped drives behind the scenes for a work-around).

I can't use Hamish's Secure Files because we are running on IIS7 (the job states that I do). When I create a ROLE (or even if I don't use Role), I give them "Pages" access but do NOT check the FIles and Images. It doesn't matter.... when that user logs in, they see it - and have full control. I did upgrade from 2.3 - could this be the problem?

How does everyone else in a CMS enviornment control the Assets folder - this seems like a pretty big deal for me and it shouldn't be up to Hamish and his team to come up with a solution. This should be at the base level of any CMS (... or am I crazy?)

Help - we go live month - and I'm getting a little nervous with the boss(es) asking me about Security related issues....

Ugh...

Just tested this on a fresh 2.4.1 install, and uncheck the Access to Files and Images for a group limits the access to it. Even when try to access it by direct url, it will redirect to /admin.

Also setting the permissions in Roles does limit the access.

I dont know why it's not working with you, but ýou do know that it should work, by limiting access for groups. :).

Do you have nested groups, so underlying groups inherit from parent groups?

Not shure if upgrading is the culprit, but you might try to install a clean ss besides the upgraded one and see if there are any differences in the database structure (I had some trouble with Widgets a while ago after upgrading to 2.4.0...).

Oh yes - Martijn - you are my hero! That what it was - the "Parent" group still had those permissions and was over-riding the new role.
THANK YOU! I marked the Title as - SOLVED. I appreciate the quick response and I'm on my way to breathing easy now... Time for some coffee... whew.

Coffee is the magic medicine ;)

Glad you solved it!