You might ask yourself what are the minimum NTFS right requirements to successfully scan to a SMB file share using a Xerox machine. In my case it's the AltaLink C8155 but I believe it's the same for all other Xerox devices. I have tested the access from the MFP and came to the conclusion that the used scanning service account requires the below permissions to be able to do it's job.
Obviously, you need sufficient rights to be able to create files in that folder. That's a given. However, I do not want to allow the creation and deletion of folders. I do not either want this account to be able to read previously scanned files and I do not want it to be able to delete those files.
Therefore, below permissions should be enough to scan a file to a location. "Create files / write data" allows the file to be created and "List folder / read data" let's the MFP check if the file transferred successfully. I guess it could do it without the "List folder / read data" as well because unsuccessfully coping would result in an error.
Of course, if I would want the MFP to create folders as well, I would need to give that permission but in my case, I only want to a PDF/A file to be created and copied to my network location. What I want to say is I need "just enough permissions". No more, no less.
I contacted Xerox support about that. The answer I've got is that is how the system works. A few functionalities (not the ones I am using) in the MFP require the ability to create folders and therefor the accounts need those permissions. The same is to say about the ability to delete files and folders even if your do not use this functionality. There are no plans to change this behaviour unless it's a wanted feature by many users. The only way for Xerox to acknowledge this need is for you all who want the same to contact Xerox about that and demand this "feature" (if you can call basic account security a feature). So do me a favour, let them know. Thank you!
For now, I will work around the issue by creating another service account with a file watcher service that moves file to another location where the MFP does not have access.
In case inserted screenshots are not viewable when not logged in the forum here a description.
Working permissons: Allow for "This folder, subfolders and files", List folder / read data, Create files / write data, create folders / append data, delte subfolders and files
Permissions that should be enough: Allow for "This folder only", List folder / read data, Create files / write