I’m new to Nextcloud and have my own Nextcloud running. I need this solution for a teacher who wants to upload documents and share with his students. All students should get an own account on nextcloud.
But I do not want everyone to create folders and upload files that I do not see. My question:
Is it possible to deny users the creation of folders and upload files on root folder level? Every user should only operate in the folders that I created.
Thank you so far, but problem is still not solved. I try to make it clearer:
That’s how it should be:
User Group 1:
Read/write anywhere
User Group 2
\root → NO PERMISSION TO CREATE/DELETE FOLDER + NO PERMISSION TO UPLOAD
\root\folder1 (created by User Group 1) → PERMISSION TO CREATE/DELETE FOLDER and UPLOAD
I want users to have full access to nextcloud, but read rights ONLY for ROOT FOLDER.
You can only specify permissions within the whole share, you can’t have different setting in a subfolder. You could do this with external storages that every user mounts and manage the permission via this external storage (like Linux-filesystem, samba, …)
I have the same requirement: I need to build a file access policy and select, for example:
All users have read-only rights on the root folder
Users from the HR group have read/write/create/delete rights within the HR folder
Users from the R&D group have read rights on some HR sub-folders, no access to some other HR subfolders and full access rights within their R&D folder
Etc.
My understanding is that I could forget implementing such a policy with the File Access Control app. You mention some tweak with external storage and all the files I want to protect are located on an external storage.
However, first, I don’t know how to implement access rights out of nextCloud, straight onto the external storage, and second I don’t understand how the user identifier is collected by the external storage to determine the applicable access rights.
Can you please point me to some documentation on this? I also hope someone will develop a plugin to manage such common policies, as tags are really not easy to do so.
I haven’t used the file access control app a lot, so I can’t tell if that might work.
For the external storage:
E.g. you use a normal linux system user (or samba, NFS, …, ideally you would also authenticate your users against this external storage backend), you would create for each Nextcloud user a corresponding user on the system. Then on the Nextcloud instance, you create an external storage for each user and the user uses his/her credentials to connect to this external storage. On the Linux file system, you can use the basic permission settings with users and groups, and you can be even more specific with ACLs.
This constructions is preferred if you have a smb/nfs server with a file structure anyway. So you just hook up Nextcloud to it.
Or instead of one big shared folder, you do several ones (there is also an groupfolder app), so you share a folder within the HR group, one for R&D, … This way you might end up with several shared folders per user.
Not sure if anyone else found a solution to this, but in case someone else needs this information here is what I have done:
If you set the files directory under the user’s folder to read only like I do with a python script that runs as a cron job (0o444) then this will keep users from writing to the root folder.
If someone found a better way please let me know. I needed to do the same thing.
You could install the guest app and give the students guest accounts. A guest account has no home folder of its own, only access to things shared with them, which may be read only or read write.