I’m implementing a system whereby one of our employees will have access to login to Nextcloud from outside our network. I want to limit what they can do from outside our network compared to what they can do on Nextcloud when they are logged in from within the office. I’ve heard that File Access Control can be used to assist me in this usecase.
I know this will sound stupid but what I would really like to do is stop this employee from having access to any files or documents when they login from outside our office network and have them be able to access whatever files I’ve granted them access when they login from inside our office.
The reason I’m doing this is when the user logs in from outside our office, I’ll be using External Sites connected to our Guacamole server so that this employee will only be able to login to our office through Guacamole, only after they’ve logged into Nextcloud.
This is the reason I don’t want this user to have access to any files or documents when they log in from outside the office.
So you want an “app access control”? I don’t know if that is possible though it probably is possible to implement this (either on your own, by feature request an waiting, or via official enterprise support).
You don’t want your users use this function at all or just because it is in your local network (so they could use it via VPN).
To give a bit more detail about my usecase…I have one employee who needs to have access to our office from outside. I could use VPN but due to circumstances outside my control it will be difficult to get a VPN client installed and supported for this employee. So my second best solution is to use a Guacamole server to allow remote access (RDP). A Guacamole server is a web based (HTTPS) remote access server whereby people can login through a web page and based on the account I setup for them, these users will have access to the internal resources I setup for them. I could add a port forward rule for our Guacamole server but I thought I would try and add a second layer of security when someone accesses our network from outside. So I thought instead to do the following:
Add a port forward rule for our Nextcloud server.
Add rules inside our Nextcloud server so anyone accessing Nextcloud from outside our network cannot see or access any files or documents. From outside all they will be able to do is access an External Site (Nextcloud App) that provides a Guacamole server login.
The outside client then logs into our Guacamole server and are able to access their assigned internal workstation (virtual machine).
It’s a bit convoluted but I thought it would be interesting to try and see if I could setup it up in this way. Only one point of entry to our network from outside. Double authentication to get to their workstation (first login to Nextcloud then login to Guacamole).
Looking at the available rules I’m going to be testing the ‘Request remote address’ rule and see if this gives me the control I’m looking for.
I hope I’ve presented my usecase clearly. If you have any further questions please let me know.