File Access Control Issue

aricwang · September 21, 2016, 1:22am

I’m using NextCloud 10 and having some problem with the file access control.

I have one folder shared to a big group of people. In the folder, there’re two sub-folders: FolderA and FolderB. There’re two sub-groups of the people: GroupA and GroupB. There’s also an administrator group GroupAdmin.

I want to set up the file access control rules to achieve the following:

a. Only GroupA and GroupAdmin can access FolderA.
b. Only GroupB and GroupAdmin can access FolderB.

The plan is to tag FolderA with TagA and FolderB with TagB. Then in file access control, set two rule group:

RuleGroupA

“File system tag” is tagged with TagA;
“User group membership” is not member of GroupA;
“User group membership” is not member of GroupAdmin;

RuleGroupB

“File system tag” is tagged with TagB;
“User group membership” is not member of GroupB;
“User group membership” is not member of GroupAdmin;

After saved these rule groups and refreshed the file access control page, some rules are missing. RuleGroupA seems ok, but RuleGroupB missed the last rule.

My question: is it possible to have two rules of the same type within one rule group? It seems partially working.

Another question: is it possible to use file access control to restrict user have read-only access of a folder?

Thanks.

tflidd · September 25, 2016, 12:15pm

@nickvergessen can you help out?

nickvergessen · September 26, 2016, 6:05am

No, the access control is an all-or-nothing setting.

Your rules look good, make sure to press the “Save” button before refreshing the page, than it should work like that.

aricwang · September 26, 2016, 6:38am

I pressed Save button.

When there’s only one rule group, it works. When there’s multiple rule groups, only one rule group can have two rules of the same kind “Use group membership”.

nickvergessen · September 26, 2016, 9:10am

Works fine here. Can you check the flow_checks table in the database, if it contains an entry for all checks?

aricwang · September 27, 2016, 2:06am

Checked oc_flow_checks table, and it looks confusing. Some rules are deleted already, but still in the table. The first 26 lines in the table probably should be gone because they are deleted.

Some FileSystemTags referenced in the oc_flow_checks are deleted as well.

BTW, how are the rules in oc_flow_checks grouped as Rule Group?

mysql> select * from oc_flow_checks;
+----+----------------------------------------------+----------+-----------------------------+----------------------------------+
| id | class                                        | operator | value                       | hash                             |
+----+----------------------------------------------+----------+-----------------------------+----------------------------------+
|  1 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 5                           | e7da1960861ea608db49a1561c881742 |
|  2 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | TeamSika                    | a1c3587fff3bb57b1a44e62b99c36682 |
|  3 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 4                           | 4044886033bd1ef01080e33541dddd7b |
|  4 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | TeamLvluo                   | da7c0327ef23d1fa3b3799a88c14e3f5 |
|  5 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 3                           | 278fbe99bfb62a454f1806123fd052f2 |
|  6 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | TeamJack                    | c0f8782f1311a963d9ce107653d9cb3d |
|  7 | OCA\WorkflowEngine\Check\RequestURL          | matches  | /.*Project\/SIKA.*/         | db4000d6bcda433c78c9a969d638d854 |
|  8 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | admin                       | 5b5a06b29ea2c5316d8fffa9065979ac |
|  9 | OCA\WorkflowEngine\Check\RequestURL          | matches  | /.*\/Projects\/SIKA/i       | c373b7b82c953f9564a9e5a457ca6454 |
| 10 | OCA\WorkflowEngine\Check\RequestURL          | matches  | /.*\/Projects\/template.*/i | 6030317b7be5e648c9dd3a8d5cb6f891 |
| 11 | OCA\WorkflowEngine\Check\UserGroupMembership | is       | TeamSika                    | 29078ad4af85709c23753d4277a55def |
| 12 | OCA\WorkflowEngine\Check\RequestURL          | matches  | /.*\/Projects\/SIKA.*/i     | 576cc62aa98006a60a49e4e9319672e3 |
| 13 | OCA\WorkflowEngine\Check\RequestURL          | matches  | /.*\/Projects\/JACK.*/i     | 1f1b05be9455f385ce475456f5a6535d |
| 14 | OCA\WorkflowEngine\Check\RequestURL          | matches  | /.*\/Projects\/Lvluo.*/i    | 56cb4d45ee775ad767368bdad49ae510 |
| 15 | OCA\WorkflowEngine\Check\UserGroupMembership | is       | admin                       | ff997d826c7f04d74cb0bd1482e6afd8 |
| 16 | OCA\WorkflowEngine\Check\RequestURL          | matches  | /.*\/Projects$/i            | 5547a7ad5b0ca5b032be2c00c2e16bc0 |
| 17 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | TeamSplitter                | f4e206647158cf0729deb684f451c0a8 |
| 18 | OCA\WorkflowEngine\Check\RequestURL          | matches  | /.*\/Projects\/Splitter.*/i | 5cff7e88b40b0ba1b900af7ff37ede43 |
| 19 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 9                           | e3e5109e9a36a6fef2f7947eeec96425 |
| 20 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | DepartmentSoftware          | edcc2866a1eec76ca5a14fb51a1d974d |
| 21 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 10                          | d73b9ef3dd1dc7d94e67c6c01f12f4ef |
| 22 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | DepartmentHardware          | 510e47b5d263e828769ab51ef561e153 |
| 23 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 18                          | 3c7397b3f96797850002c3a7fa80d7bb |
| 24 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | DepartmentAdmin             | e35c9e280c2712700f13ad927eea6b9b |
| 25 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 17                          | 09323c86f58d3b4ff0ef9f530d5e8e52 |
| 26 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | DepartmentQA                | c56070f866c522ca3fb6947096730178 |
| 27 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | FuncSW                      | 25323a86f7eabfb4b4e3dd1276e601dd |
| 28 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | FuncHW                      | ca206a44452f3e158c3bf8322860434a |
| 29 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 24                          | 1b90df6cff5c6f8c0d4a09387dfc79c3 |
| 30 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | FuncPM                      | 6e88911bc0e54749acbe65c4fb317b06 |
| 31 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | FuncQA                      | 86333fff46cafe94e9010c0adc4ab674 |
| 32 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 21                          | 028bd068c9dc21fb739a546198075b37 |
| 33 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | FuncRA                      | bde4ec1a7995e4edefc5c4a24aacfd2a |
| 34 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 19                          | 8dac5389a529e0e8952f85e70d4df4cb |
| 35 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | FuncME                      | 9f2657923add689e93b95ab3284b9287 |
| 36 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 22                          | 5bebc050f6628a38d2b558a338615cb5 |
| 37 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | FuncMP                      | 4a7a32a3b796ff342a313c5d5a163bd8 |
| 38 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | FuncSCM                     | a6d06cb04dfe3efc83b1f5bc641378f1 |
| 39 | OCA\WorkflowEngine\Check\FileSystemTags      | is       | 23                          | f806cf03efc7976b55c209c205004ebd |
| 40 | OCA\WorkflowEngine\Check\UserGroupMembership | !is      | FuncAdmin                   | d9132f203ba6db0bb8080f05de252639 |
+----+----------------------------------------------+----------+-----------------------------+----------------------------------+
40 rows in set (0.00 sec)

nickvergessen · September 27, 2016, 8:33am

That’s done via the oc_flow_operations table.

About the old rules, yes they are kept atm and are cleaned up with an repair step in the future, after updates, because they don’t hurt really.

nickvergessen · September 27, 2016, 8:35am

Can you tell me which check you actually want to have? (replace the group names with the real group names)

mkolbe · December 13, 2016, 10:30am

I face the same issue using a cloud account on ocloud.de.

The scenario is as indicated by the group names above: members of a group shall not have access to a folder with a certain tag, but group admins shall have.

When saving a rules group everything looks fine, but when getting back to review the rules, the first rule group is fine but starting with the second group, only one rule using group membership has survived.