Group folders - setting restrictive advanced permissions impossible?

Can anyone confirm that the following scenario is not possible with Nextcloud Group folders:

Two groups, Group A and Group B, should have different default permissions for a group folder.
Group A should be able to see all newly created subfolders of the group folder by default.
Group B should only be seeing the subfolders that it has been given access to.

If there are for example 30 subfolders of the group folder and Group B should only have access to 3 of those (subfolder1, subfolder2, subfolder3), then Group B needs read permissions to the group folder to be able to see subfolder1, subfolder2 and subfolder3. For all other subfolders Group B has to be denied all permissions.
But if a new subfolder (subfolder31) is created in the group folder, Group B will have read access to it because of the read permission for the group folder. The situation gets a lot worse when you want Group B to only be able to see specific sub-subfolders, because then Group B will have read permissions for new folders on 2 directory levels by default, and so on for deeper nesting.

Is there any way to avoid this problem? Considering for example GDPR data protection regulation, this is a huge security risk because groups of people by default get access to data that they should not.

All that is needed to prevent this problem would be a default permission setting for the Advanced Permissions that in this case would prevent the deault read access of Group B.

Is this assessment correct or am i missing something?

Just don’t add Group B to the parent groupfolder! It’s enough to add Group B to the subfolders as required.

If i understand correctly you suggest not using group folders for Group B and instead use the normal nextcloud share functionality. So the answer is that it is not possible with group folders and advanced permissions?

Using normal sharing additionally leads to a couple of undesirable problems:

  • Completely messes up the directory structure: Folders that are shared via group folder have to be accessed via normal directory structure, folders shared vie normal sharing appear in the root folder of the shared-to-user. Additionally, what happens when two shared folders have the same name?
  • Now 2 seperate systems for giving people access have to be managed
  • No finegrained access control for subfolders of shared folders possible

No, I didn’t mention sharing in any way. If you want a folder named ‘groupfolder’ as parent, you just have to make sure, that this folder existst for your users in Group B (e. g. put it in the skeleton directory).
Add ‘groupfolder’ as groupfolder for Group A and ‘groupfolder/subfolder’ for Group B.
Group B will only see this one subfolder.

I’m doing this for Templates since quite some time without any issues.

Oh, then i misunderstood.

If i understand correctly, i would have to create a (nested) group folder for each subfolder that Group B should have access to?
And before that i would have to create the folder for each user of Group B? (Skeleton directory is not an option because the users already exist and there are many different groups that should have different access)

Correctly!
If that isn’t an option, you need to separate the parent groupfolders for your individual groups.

Thank you, i have tried and your suggestion is working for me!
It feels like a bit of a workaround, and manually creating the parent folder for each user might take a little bit for big groups, but this is the best solution that i have come across so far.
Thanks for sharing!!

To reiterate what worked for me, in case someone has a similar problem:

  • In Settings / Group folders i removed Group B from the parent group folder
  • For each user of Group B i manually created a folder with the same name as the parent group folder
  • After that, in Settings / Group folders i created new (nested) group folders for subfolder1, subfolder2 and subfolder3 below the parent group folder (parent group folder/subfolder1 etc.) and added Group B to those
  • As a result, subfolder1, subfolder2 and subfolder3 show up in the manually created folder for each user of Group B