Nextcloud 16 implements Access Control Lists to replace classic File Servers

Originally published at: https://nextcloud.com/blog/nextcloud-16-implements-access-control-lists-to-replace-classic-file-servers/

Nc 16 logo

While Nextcloud is often used in companies to replace aging ‘shared folder’ solutions like a Windows Network Drive, the sharing model modern Dropbox-like solutions use is very different. Rather than a single, fixed folder structure available to all users and tightly controlled by IT, users have their own view on their data and can share files and folders at will with others, who will receive shared files in their home file view.

As this release brings so many improvements, we’ve written 4 other blogs with more details about the main features:

ACLs in sidebar

The old and new ways of sharing

A major difference between the folder tree ruled by system administrators and the user-centric view is the use of access control lists (ACL’s) in the ‘old’ world. These allow an admin to share a folder with all users while changing the access rights on sub folders and folders in those folders and so on. This makes it possible to have read-only access to a top folder, write access to a sub folder, read-only to a folder in there again and so on. Nextcloud can give users access to a Windows Network Drive as external storage and respects these ACL’s, but does not otherwise expose them for manipulation.

Nextcloud 16 introduces support for ACL’s in group folders. System administrators can set, on every file and (sub)folder in a group share, specific access rights. These are inherited by default, so a ‘no write access’ for a specific user or group will apply to all files and sub folders, unless overridden again by the system administrator.

Available for configuration are Read, Write, Create, Delete and Share permissions, each of which can be set to ‘inherit’, ‘allow’ or ‘deny’ for each user or group for each file and (sub)folder in a group share.

How it works

To set up a group folder with ACL’s, the administrator enables the Group Folders app, creates a group folder and selects the groups who should have access to it. Make sure the admin who has to set up the permissions is included. Then, enable the ‘advanced permissions’ setting.

In the Files app, go to the group folder and look at the sharing view. There will be a group folder permissions view, where you can specify permissions. Use the ‘Add advanced permission rule’ button to add a rule.

You now pick from a list of all groups and users who have access to the group folder and can then set the fine-grained permissions. Note that ‘inherit’ is default, and by removing the rule with the ‘x’ on the right you can return to the permissions inherited from the parent folder.

Users can see what their rights are, but not modify them.

2 Likes

Are these new ACLs working only for Group Folders?
You wrote:
“Nextcloud can give users access to a Windows Network Drive as external storage and respects these ACL’s”
How can it be set? I don’t see “Advanced Permissions” option for external storage

2 Likes

As the news text describes it, it is only available for Group Folders, yes.

1 Like

is server<>server federation with circles working now?

Will Group folders support file encryption in NC16?
Their limit in NC15 prevents me from deploying group folders in our company.

I don’t know the exact roadmap but we’re expanding the integration of Group Folders more and more… You could join the upcoming enterprise day where Group Folders is one of the subjects to learn more…

Hi all!

I’m wondering how I could tweak Group folders into allowing reading/opening a file but preventing any update (denying write privilege)… I expected that write=off would be enough, but it isn’t, just prevents me from creating a new file or copying a file into the folder.

By the way, removing the read privilege doesn’t prevent me from opening and updating the file through webdav connection either, thus making the plugin useless if you can easily circumvent the ACL by using any other client rather than accessing the repository with your web browser… :frowning:

Any clue on this? Is there any tool which enforces access rights at the OS level?

Other issue: when fine-tuning ACL within the Files app, the plugin shows deactivated users as well…

Thanks in advance for any help!

1 Like

Hi Community,

Any help on this topic would be greatly appreciated! Thanks in advance!

Maybe not exact what you want, but you ca do this on a subfolder created under a groupfolder
43

Thanks for the tip! I’ll check this as soon as I can, but surprisingly, the Group Folders settings now displays an empty page! Have to fix this before…

Hello,

Explanation says

the administrator enables the Group Folders app, creates a group folder and selects the groups who should have access to it.

But what shall we do to enable this to existing folders ?

As far as I understand, there is currently no way to migrate an already created folder into a group folder. The only solution is to create a new group folder and move existing files to it.
If it doesn’t already exist, you should think about opening a feature request to get this function added in a future release.

Easy. Create a new groupfolder and adjust the permissions. Do not use the same name for the groupfolder as the existing. Move all files from the existing. Delete the existing folder.