Adding a user to a Hub will allow them to view all files in the Hub regardless of permissions attributed to the files. However, Box Hubs will respect Box Shield access restrictions on content that is shared externally (in Beta). If there is a file or folder that has a Shield access policy AND that file or folder is in a Hub, then the restriction is applied when an external user tries to view the content.

Signup here to learn more

A user can be invited to a Hub as an ‘Editor’ or a ‘Viewer.’ Editors can edit content within the Hub whereas Viewers can view, but not edit, the contents of the Hub. If a user does not have access to a file that has been added to a Hub, and the user is added to the Hub, they will receive ‘view’ access to the file. If a user has not been given Editor or Viewer permissions to a Hub they will not see files or folders in the Hub unless they have been added as a collaborator on that file or folder.

View more information in the Box Hubs product guide.

So.. if a user only has “viewer” permissions on a file… then that person is added to a Hub with the same file as an “editor” they can then edit the file in the Hub? (but not outside of the Hub?) 

We are starting to test out Hubs and wanted to understand if there was a hierarchy as to how file permissions, hub access and link permissions all interact to ensure a seamless interaction with all our data. It sounds like there may be some cases where an admin or someone who is managing a Hub might provide more access to a file just because it’s in a Hub by accident. We are in a regulated industry and it’s critical we ensure we have control in these areas and can demonstrate it in an auditing capacity as well. 

One other comment - we have files/folders outside of hubs setup so that certain users setup with the “previewer” role - they can view, but not download. Now if the same file is added to a Hub and they are assigned as a “viewer” within Hubs - that role includes the ability to “download”. In fact - all 3 roles include “download” and there’s no way for a “custom” one to be created.

I use the NTFS file level permissions + Share Level permissions example as to how best to deploy access to data/files. Welcome any feedback.

Hi ​@HalFlynt  Welcome to Box Community! We’re glad to hear that you’re starting to test Hubs, and we’re happy to assist with your inquiries!

While “viewers” can see and access all content within the Hub, Box Hubs does not grant “editor” permission on file or folder content in the Hub to those assigned as editor. This means that editors cannot change or update individual pieces of content unless they have editing permissions at the file or folder level.

For the latter, your statement is correct. With that, either keep the user with “previewer” role on certain files/folders and not be added to Hubs, or set as “viewer” only as they can’t make any changes to the Hubs they are invited to. Furthermore, we do have plans to support a previewer role in Hubs. However, we don’t have exact timing right now. Stay tuned for updates! 

➡ Here are some of the helpful articles to learn more about Box Hubs:

• Box Hubs Product Guides
• Box Hubs Permissions
• Box Hubs Known Issues and Limitations

Please feel free to reach out to us for other concerns/questions!