Can anyone confirm that the following scenario is not possible with Nextcloud Group folders:
Two groups, Group A and Group B, should have different default permissions for a group folder.
Group A should be able to see all newly created subfolders of the group folder by default.
Group B should only be seeing the subfolders that it has been given access to.
If there are for example 30 subfolders of the group folder and Group B should only have access to 3 of those (subfolder1, subfolder2, subfolder3), then Group B needs read permissions to the group folder to be able to see subfolder1, subfolder2 and subfolder3. For all other subfolders Group B has to be denied all permissions. But if a new subfolder (subfolder31) is created in the group folder, Group B will have read access to it because of the read permission for the group folder. The situation gets a lot worse when you want Group B to only be able to see specific sub-subfolders, because then Group B will have read permissions for new folders on 2 directory levels by default, and so on for deeper nesting.
Is there any way to avoid this problem? Considering for example GDPR data protection regulation, this is a huge security risk because groups of people by default get access to data that they should not.
All that is needed to prevent this problem would be a default permission setting for the Advanced Permissions that in this case would prevent the deault read access of Group B.
Is this assessment correct or am i missing something?
If i understand correctly you suggest not using group folders for Group B and instead use the normal nextcloud share functionality. So the answer is that it is not possible with group folders and advanced permissions?
Using normal sharing additionally leads to a couple of undesirable problems:
Completely messes up the directory structure: Folders that are shared via group folder have to be accessed via normal directory structure, folders shared vie normal sharing appear in the root folder of the shared-to-user. Additionally, what happens when two shared folders have the same name?
Now 2 seperate systems for giving people access have to be managed
No finegrained access control for subfolders of shared folders possible
No, I didnāt mention sharing in any way. If you want a folder named āgroupfolderā as parent, you just have to make sure, that this folder existst for your users in Group B (e. g. put it in the skeleton directory).
Add āgroupfolderā as groupfolder for Group A and āgroupfolder/subfolderā for Group B.
Group B will only see this one subfolder.
Iām doing this for Templates since quite some time without any issues.
If i understand correctly, i would have to create a (nested) group folder for each subfolder that Group B should have access to?
And before that i would have to create the folder for each user of Group B? (Skeleton directory is not an option because the users already exist and there are many different groups that should have different access)
Thank you, i have tried and your suggestion is working for me!
It feels like a bit of a workaround, and manually creating the parent folder for each user might take a little bit for big groups, but this is the best solution that i have come across so far.
Thanks for sharing!!
To reiterate what worked for me, in case someone has a similar problem:
In Settings / Group folders i removed Group B from the parent group folder
For each user of Group B i manually created a folder with the same name as the parent group folder
After that, in Settings / Group folders i created new (nested) group folders for subfolder1, subfolder2 and subfolder3 below the parent group folder (parent group folder/subfolder1 etc.) and added Group B to those
As a result, subfolder1, subfolder2 and subfolder3 show up in the manually created folder for each user of Group B
I know this question was raised some time ago but I found a slightly different solution.
Create a group folder, lets call it āLibraryā.
Assign GroupA and GroupB to use the Library and add GroupA to āAdvanced Permissionsā.
Assuming you are a member of GroupA navigate to the Library folder and create a sub-folder.
In the new sub-folder details, under sharing, āAdd advanced permission ruleā selecting GroupB and DENY all āRead Write Create Delete Shareā.
Sortedā¦ GroupB might be able to see the folder but not itās contents. Then once you are ready to allow access just adjust āAdvanced permissionsā accordingly.
thank you for your suggestion. Unfortunately that is not a viable option if i understand your suggestion correctly. Following your suggestion, everytime someone creates a subfolder, that person has to remember to manually deny permissions. Since there are multiple people involved with different technical skill levels and they are mostly not using the web interface, this approach will not work in practice.
Hello Xhesheng,
Would you please elaberate on how to put users in Group B in the skeleton directory? Can I do it on the web interface ļ¼Thank you So much!
As far as I know, you cannot define a skeleton for specific groups. Skeleton files/directories will be added for all new users.
If you need specific folders for a defined group of users, youāll probably need access to the command line.