I set up nextcloud for my students to upload their papers / homework.
I set up a user account for each student with folders for the different courses. Each course folder is shared with the respective teacher for wich I also set user accounts. Teachers can add files but not delete or change files.
As an admin I would like to have a view where I can see all folders/files of all users. I expected to see all those in my (admin) account but I only see my own folders.
Does every user have to share each folder/file with the admin user that I can see the data?
I think it would be a huge security risk if an netxcloud admin could see all folders and files of his users. so in my opinion it is not possible and it should be not possible.
The short answer to your question, no Admins don’t have full view from page.
I think a better approach to what you’re trying to do (and since all the accounts have been setup) is to organize things via groups. Meaning all student accounts belong to Student Group, all teachers belong to Teacher Group, and then maybe even go further and assign Math teachers to belong to Math Teacher Subgroup, etc…and then…
Create folders under Admin account and share with them (this way you have full view because you’re owner of the folder(s), and also because you’re the one sharing, you control all permissions - preventing deletions etc).
English - shared with Student Group, English Teacher Group, + optionally any additional individual account
Math - shared with Student Group, Math Teacher Group, + optionally any additional individual account
General - shared with Student Group, Teacher Group, + optionally any additional individual account
Also, if you have access to the computer Nextcloud is running on, you can view any folders/files located under /var/www/nextcloud/data/…
I do similar to this scheme for managing these sort of shares, and extend it a bit where quota restrictions are needed. For this school example, I might have a “share owning” account for each department:
EnglishDept
GermanDept
MathsDept
ScienceDept
…
then give each of those users the amount of disk quota I will let them use. Give the account/password to whoever is responsible for managing the department organisation (in a small place it might be just 1 admin/office person who has them all).
Then create the various folders to share with Student+Teacher(s), like Raegar describes.
The files end up all being “owned” by “EnglishDept” etc, and thus come off “EnglishDept” overall quota, rather than being “charged” to the Teacher or Student that happened to create the file.
If you want a single “admin” user to see all the shares, then you can of course share “ReadOnly” with that “admin” user or group also - but often it will work for each department to just manage and see their own shares.
You could (theoretically) setup an “external” storage location which is really an SSH tunnel to the Nextcloud folder location that is just local. This requires you have SSH access to a dedicated server and you’re not in a shared hosting environment. On your own server, you must also have it locked down with some kind of mitigation methodology to protect against bruteforce attacks (eg, fail2ban or some other method, configured to look for NextCloud login attempts-not just the NC bruteforce app), and layer yourself with port blocking (only allow 80/443 into your external firewall).
This takes a LOT of security knowledge and is still a BIG RISK. Another option is to require sharing to be enabled across all users (each user MUST share their root home folder to be compliant, or be disabled as non-compliant).
Keep in mind opening yourself and your users up like this severely violates security best-practice and you had better have a damn good password on your account (eg, KeePass or LastPass randomly generated LONG and random password), not be socially engineered, AND have TOTP (two factor) enabled. Also DO NOT USE the admin account for such purposes.
This kind of function would be similar to auditing functions required by some industries where an auditor must see all files but in a read-only fashion. Do not use the well known admin account for this purpose.
Be aware of how doing any of this is NOT advised from a security standpoint.
John_Shotton, it also works fine in NC 14. I just looking for an option, so only admins can see the external storage link. At the moment i have the admin group allowed to join the Users directory by using the external storage link, but for another non admin group the link “external storage” is also visible, but without showing the Users directory. Is it possible to hide the external storage link from menu to non admin groups?
Unfortunately this solution does not seem to work with my setup – I have AWS S3 set as my primary storage, and therefore it appears that the data itself is not hosted at /mnt/clouddata
Does anyone have any ideas on how to modify this solution for an implementation where S3 is being used as primary storage? Many thanks in advance for any insights.
Does anyone have any ideas on how to modify this solution for an implementation where S3 is being used as primary storage? Many thanks in advance for any insights.
I don’t think it’s possible using the primary storage config
My question is the opposite. Is it possible for an admin to not be able to see the files? If the files are encrypted, would the admin have access to the decryption keys/salt?