Limiting access of external "apps/clients" to a limited folder or even file


I would like to use nextcloud for providing access to my KeePass database and I am looking for the best approach to the use case in term of security - the external keepass apps (Android, Windows, Linux desktopts) should “remember” the access credentials so that I do not have to type them again and again…

So far, the alternatives seem to be

  1. setup of “application password” within NC is certainly usefull, but yet, if the password is compromised, the attacker has access to my complete nextcloud until I revoke the pswd.
  2. create a new user only for “keepass” app and share the kdbx file from my personal NC to this user. This seems a bit clumsy, though, since the number of special purpose users would grow with each external app with limited access…

Is there any other way how to provide webdav access only to a particular file with read/write permission to external apps?

EDIT: ad point 2) this does not really work - at least Keepass (Windows) first saves keepass.dbkx.tmp, then removes the original keepass.dbkx and eventually renames keepass.dbkx.tmp to keepass.dbkx. The second step (deletion) effectively disables the sharing link from the original user. So, the only option would be to keep the keepass.dbkx completely separate in another user profile of NC.

With file access control perhaps? Take mime-type or tagging to select file, then restrict the client via user agent. Unfortunately, there is no selector for app passwords (and it would be great to be able to set such an option on a user level:

So currently, I don’t see any other options than the ones you already mentioned.

ok, file access control might help a bit, but other apps would remain open (carddav and caldav in my case). I will watch the feature request to see progress, if any, and setup a dedicated user meanwhile.

thanks for response.