How to suppress permissions within a shared directory


I’m having a directory shared with people via groups (or with individuals)
Hence all the directories and files within are also shared with the same people.

I would like to restrict access to one folder (or one file) to a limited number of person (hence to override the permission set by the container directory permissions)

Can I do this?
Maybe with a plugin?

Thank you for your help.
– Laurent

Nextcloud version (eg, 12.0.2): 13.0.5

AFAIK permissions are inherited from the parent directories being shared. You are using a Top-down sharing strategy, but I think in your case it would be better to use a bottom-up strategy. Start with the file/folder with the most specific sharing permissions you want, and go up from there. Does this make any sense?

You could to this with the app File Access Control.

Let’s say you have the users Alice and Bob. Both are in a group “Family”.
You share a folder with the group Family.
Now, to prevent Bob from accessing the subfolder “Not for Bob”:

  • Create a collaborative tag “Not Bob” and tag the “forbidden folder” with this tag.
  • Put Bob in a group called “Bob”

Now you can use the file access control (in the admin UI) with following rules:

  • User group membership - is member of - “Bob”
  • File system tag - is tagged with - “Not Bob”

It’s not a very clean workflow, but it works. Only drawback: The user which should not have access to the “forbidden” folder still sees it in the files app. Only when he tries to access the file/folder, he’ll get an error message.

It would be easier to split the shares and share with different users/groups.

1 Like

Thx for your answer StarFish
In my case I’m afraid it will not work. I’m using “shared folders” for facilities. Several people share by default all the data (e.g. school group, wine club). And eventually I must prevent all other/some to see the files or folders (e.g. financial data).

The File Access Control app seems closer to my need.
Thank you for the suggestion. I’ll check.

Though, from what I see, I must use groups. Hence requiring some admin tasks and must be done differently for every different case.
I’ll check, but I’m afraid it will not be very practical, and that it will not be really available to “simple users”.