Create access without ability to alter folder itself
we basically have two groups in our system, "students" and "employees". By default, all employees should be able to publish content in the system, students should not. I therefore created a root folder and gave create access to the group "employees".
Now all employees can create subfolders in this root folder, manage the permissions of this subfolder and manage their content within this folder. Great.
However: All employees can also manage the permissions of this root folder itself and thus can remove create access from it or even delete it, rendering it useless for all employees.
Am I missing something, or is there a different way I should use? Using the personal folder is also not a great solution. We use SAML as login and provision groups also via SAML. There is no way to enable the personal folder just for employees (at least that's what I know for now). Also, the typical content shared within the organisation should not be linked to a personal folder because it must typically stay in the system even if the user gets deleted. Also it's not possible to create a good folder structure this way...
Any comments on that would be appreciated :)