How to use advanced permissions without inheritance?

Nextcloud 24.0.2 here.

I have a group folder for managing a few connected companies together. There is a directory structure like this;

The most parent driectory: “Companies” is assigned to many groups.
Inside this group folder, there are 3 other folders specific to individual companies like “Company A”, “Company B”… These folders have advanced permissions to deny all access to everyone.

Because I want departments to access corresponding files only. Like all company files are here but HR staff accesses only HR folder in it and so on.

Now what I do is, deny access to all groups to the “Comanies” group folder. Then for example allow read access to “HR” folder in “Company A” folder, to the group “HR Team Of Company A”. Like this:

Companies (access denied to everyone) → Company A (access denied to everyone) → HR (access granted to HR group of Company A)

But they don’t get to access this folder with this structure. I think Nextcloud always recognizes deny setting over allow when inherited. Now I don’t understand what is the point in “inherit” setting in advanced permissions if it will always be inherited anyway? I know this is a decision to make. Which should be superior; allow or deny? I don’t judge of course, I just want to learn how I can manage this scenario?

P.S: There is also “Share” option available (as in all folders). But this has two drawbacks;

  • It discards the whole idea of group folders. It is like sharing a folder I own.
  • Teams doesn’t see the proper directory structure which is vital when managing multiple companies.

Anybody, no one?

Sorry i can not really help you. But i think it is not a good idea to define a parent directory “Companies”. I think i would define on the upper directory (home) the group folders “Company A”, “Company B” and “Company C”. Maybe you can solve or minimize your problem by dispensing with a folder level.

Thank you but that doesn’t change anything. The scenario you offer has exact same problem. Let’s say I made “Company A” and “Company B” directories. I still can not give access to people only to their department folder. I still have to give access to all of the Company A folder.

Only thing I can do with this scenario is to give everyone access to “Company A” folder and I need to deny access to each folder in it to everyone unless they are of that department. I think that’s the only way now.

Well now I tried but that’s not a viable option either… Because allow access is superior to deny access. So in fact this is not advanced permission option. Say for example there is “Company A” group folder. I give access to everyone in this company for this folder. Then in this folder, there are department folders like “Finance”, “Human Resources”, “IT” etc… Each department (as user groups) have access to only their corresponding subfolders.

But when it comes to make an exception for a person in a group, you can’t “advanced manage” that permission. For example if there is an accountant office which you work with and which is outside your company and they have access to root Company A folder as they are in “Accounting” user group.

Now this accounting user group also includes the company’s own pre-accounting staff too. While this staff needs access to some other folders as well; the accounting office outside the company shouldn’t be able to see all subfolders.

But when you give “read” permission to the accounting group, now you can not deny access on a subfolder for someone in this group. So what’s the point in advanced permissions now? :roll_eyes:

You can say that I can separate the user groups like “Accounting Office” and “Pre-Accountancy”. But you can’t make separate groups for every exception and even if you do, they will surely collide at some point.

I know this memo is too long but this is a feedback to let the devs know that advanced permission needs a re-consideration if you are not managing everything in small groups with no exception and with small group of files only. Because when the files/folders and the users grow, permission management renders ineffective and useless.

Edit: Allow access overrides deny access but NOT always consistently. There is really a consistency problem here. Now I try to fit with Nextcloud’s logic but there is no way to go. I can not allow write access to a user group for a subfolder if the they are denied to write on the root folder. Now that means at some places allow overrides deny and at some places vice versa. This way you can’t be sure who has access to what.

Allowing read access to the root folder and then denying access to each subfolder, I accepted that, ok… But allowing write access to the root folder is not logical when you want to let a group to be able to write only to a subfolder.

1 Like

Your analysis is completely correct.
These are serious permission problems.
Denying permissions to subfolders is completely necessary.
I’m waiting for an update to fix it.