I’m managing a Nextcloud instance in a corporate environment and I’m facing a significant challenge related to file and folder organization.
We have a master folder structure, which was carefully designed to organize documents and workflows across different departments (Accounting, Tax, DP, Finance, etc.). The problem is that, by granting “Write” permissions, users can not only edit or create files, but also accidentally move folders or subfolders, causing significant confusion and reorganization.
In many cases, users intend to simply save or update a file, but by accidentally dragging it, they end up moving an entire folder into another. This compromises the integrity of the structure and risks losing context or work history.
Therefore, I’m looking for a way to “freeze” the folder structure, i.e.:
Allow users to edit existing files (e.g., update a spreadsheet or PDF). * Allow users to add new files to predefined folders.
But prevent them from creating, moving, or renaming folders.
As far as I could tell, using Group Folders, there’s no granular permission to specifically restrict folder movement, as the “Write” permission covers both file creation/editing and folder move/renaming.
Has anyone experienced a similar situation? Is there an additional app, setting, or workaround (even using File Access Control or another method) that allows you to protect the folder structure and prevent unintentional changes?
I would greatly appreciate any experiences or ideas you could share.
There seems to be a new app that is trying to solve this issue:
Nextcloud has file access control:
For the moment, I don’t know how to achieve that behavior, but you might imagine a development to allow this.
What you can do as alternative, use the ACL settings of your Linux system on some external storage. Either include this globally by an admin user (just external strorage for www-data user) or for each individual user (via SFTP) for even more granular settings (you need to replicate the user structure in this case onto your Linux system).
That may have a problem for you, as it is so easy to drag a folder in your File Explorer and put it somewhere, much easier than do it in the webUI. My customers were doing the same quite often, eg pick some files to move and accidentally pick a subfolder, or just accidentally pick a folder and move it in subfolder etc.
So, when you lock them from doing that on the server (remote) level, they will tackle with another issue: having moved a read-only subfolder, and syncing will result in error in syncing. I do not know what about your users, but my customers are not even reading the errors, what to talk to understand them - just cry, that my files are not syncing.
The only solution I’ve been able to make is to use group folders for the main structure. if you accidentally move it, it is copied, but not deleted.
It should be noted that if a user is granted access to a folder of level 2 and above, without access to the first level, then the 1st level is displayed as a personal folder, and there have been cases when users have saved files there.
Exactly! My users are very ignorant. They have no idea they’ve done anything wrong. So it’s a bad-faith mistake. That’s why I need to organize the tool so it doesn’t allow them to do this.
Your idea is very clever. In my case, it won’t be practical. My biggest difficulty isn’t deleting files, but moving them to the point where I have three or four identical structures replicated due to user error.
@ guilhermerenz89 In my opinion there’s only one solution which may help you to overcome this case: to use WebDAV in your users standard or separate file explorer. This protocol is slow, but it won’t allow your users to make these kind mistakes, imao.
Mounts file system using the WebDAV protocol. Dependencies: This app requires the .NET runtime for operation. You can edit and manage documents located on your WebDAV server in Windows Explorer. Enables opening documents for editing directly from the web page and saving back to the server without download and upload steps.
