Nextcloud 16 implements Access Control Lists to replace classic File Servers

Originally published at: https://nextcloud.com/blog/nextcloud-16-implements-access-control-lists-to-replace-classic-file-servers/

While Nextcloud is often used in companies to replace aging ‘shared folder’ solutions like a Windows Network Drive, the sharing model modern Dropbox-like solutions use is very different. Rather than a single, fixed folder structure available to all users and tightly controlled by IT, users have their own view on their data and can share files and folders at will with others, who will receive shared files in their home file view.

As this release brings so many improvements, we’ve written 4 other blogs with more details about the main features:

• Nextcloud 16 introduces machine learning based security and usability features, ACL permissions and cross-app projects
• Nextcloud 16 becomes smarter with Machine Learning for security and productivity
• Nextcloud 16 allows you to link resources to keep track of your projects
• Talk 6.0 brings commands, improved user experience and more

The old and new ways of sharing

A major difference between the folder tree ruled by system administrators and the user-centric view is the use of access control lists (ACL’s) in the ‘old’ world. These allow an admin to share a folder with all users while changing the access rights on sub folders and folders in those folders and so on. This makes it possible to have read-only access to a top folder, write access to a sub folder, read-only to a folder in there again and so on. Nextcloud can give users access to a Windows Network Drive as external storage and respects these ACL’s, but does not otherwise expose them for manipulation.

Nextcloud 16 introduces support for ACL’s in group folders. System administrators can set, on every file and (sub)folder in a group share, specific access rights. These are inherited by default, so a ‘no write access’ for a specific user or group will apply to all files and sub folders, unless overridden again by the system administrator.

Available for configuration are Read, Write, Create, Delete and Share permissions, each of which can be set to ‘inherit’, ‘allow’ or ‘deny’ for each user or group for each file and (sub)folder in a group share.

How it works

To set up a group folder with ACL’s, the administrator enables the Group Folders app, creates a group folder and selects the groups who should have access to it. Make sure the admin who has to set up the permissions is included. Then, enable the ‘advanced permissions’ setting.

ACLs_in_groupfolders_create_crop.png2560×610

In the Files app, go to the group folder and look at the sharing view. There will be a group folder permissions view, where you can specify permissions. Use the ‘Add advanced permission rule’ button to add a rule.

ACLs_in_groupfolders_add_permission_rule_crop.png2600×755

You now pick from a list of all groups and users who have access to the group folder and can then set the fine-grained permissions. Note that ‘inherit’ is default, and by removing the rule with the ‘x’ on the right you can return to the permissions inherited from the parent folder.

ACLs_in_groupfolders_sidebar_crop.png2560×823

Users can see what their rights are, but not modify them.

ACLs_in_groupfolders_user_view_crop.png2600×821

Are these new ACLs working only for Group Folders?
You wrote:
“Nextcloud can give users access to a Windows Network Drive as external storage and respects these ACL’s”
How can it be set? I don’t see “Advanced Permissions” option for external storage

As the news text describes it, it is only available for Group Folders, yes.

is server<>server federation with circles working now?

Will Group folders support file encryption in NC16?
Their limit in NC15 prevents me from deploying group folders in our company.

I don’t know the exact roadmap but we’re expanding the integration of Group Folders more and more… You could join the upcoming enterprise day where Group Folders is one of the subjects to learn more…

Hi all!

I’m wondering how I could tweak Group folders into allowing reading/opening a file but preventing any update (denying write privilege)… I expected that write=off would be enough, but it isn’t, just prevents me from creating a new file or copying a file into the folder.

By the way, removing the read privilege doesn’t prevent me from opening and updating the file through webdav connection either, thus making the plugin useless if you can easily circumvent the ACL by using any other client rather than accessing the repository with your web browser…

Any clue on this? Is there any tool which enforces access rights at the OS level?

Other issue: when fine-tuning ACL within the Files app, the plugin shows deactivated users as well…

Thanks in advance for any help!

Hi Community,

Any help on this topic would be greatly appreciated! Thanks in advance!

Maybe not exact what you want, but you ca do this on a subfolder created under a groupfolder

Thanks for the tip! I’ll check this as soon as I can, but surprisingly, the Group Folders settings now displays an empty page! Have to fix this before…

Hello,

Explanation says

the administrator enables the Group Folders app, creates a group folder and selects the groups who should have access to it.

But what shall we do to enable this to existing folders ?

As far as I understand, there is currently no way to migrate an already created folder into a group folder. The only solution is to create a new group folder and move existing files to it.
If it doesn’t already exist, you should think about opening a feature request to get this function added in a future release.

Easy. Create a new groupfolder and adjust the permissions. Do not use the same name for the groupfolder as the existing. Move all files from the existing. Delete the existing folder.

So the group folder feature seem nice however I have two major problems

1. Is says that I can tick the X to the right of the permissions in order to inherit from the parent folder instead. It does not work, instead the folder dissappears and I have no idea on how to get it back Any ideas? I now have some lost folders

2. It would be a great advantage to have a group folder where the default is no access and then I can instead add access to every subfolder. Is there a way to do this?

I have the same experience - if I tick advanced permissions, the Groupfolder is not visible any longer in the files app. But only for some folders. Others behave as expected. The hidden folder will return visible if I untick the advanced permissions. I suspect that this happens when I have already created subfolders in the folder I want to give advanced permissions.
Is this a bug? I have reported this as an issue.

Hello all!

I’m coming back to this thread to ask about the webdav access: I’ve managed to create the desired group folders, put some test files in each, played with groups & users permissions, but whatever the settings, I still can read/write/delete any file when accessing them through the webdav connection. This breaks all protections I’d like to apply throughout our repository…

Is there any way to sync Group Folders settings with Linux system files permissions, so that any direct action is still enforced by nextCloud-defined rules?

Thanks in advance for any help!

Hello @jlgarnier,

you are replying to a an older news topic.

I will lock this article right now and kindly ask you to open new topic at:

https://help.nextcloud.com/c/apps/groupfolders