Restricting user groups to certain folders

So I did a bit of research and thought that NextCloud would be the perfect thing to share files and folders in my organization. There are 3-4 workstations that require a shared data set and this looks like it should do it.

I would like to restrict some access so that accidental deletion won’t happen, but everything I look for says that Nextcloud doesn’t have any normal user controls for restricting which accounts can access or delete which files.

I’m really surprised that an application that claims to be enterprise ready doesn’t have anything as basic as folder access controls built in. I’ve seen that there’s supposed to be some control with “File access control” but it looks like it doesn’t actually do any access control the way every other file restriction system works.

I’m familiar with Windows shares & file permissions, and I’ve got some experience with Linux/unix file permissions as well, and nothing in the “File access control” looks like it actually restricts or grants access.

Can I actually restrict or grant access to users with NextCloud, or does everyone just have access to everything. I’m thinking this product wasn’t what I needed if it doesn’t have any way to manage user access.

Nextcloud version 13
Operating system and version ubuntu 18

There are a few options to control access permission to certain folders:

  • groupfolders in combination with file-access-control
  • folders shared by a central account (admin account for example) and specific permissions to read-only, read-write or not shared with at all

I suggest to upgrade to NC15 directly as it is richer in features and received some improvements for sharing.

I’m kinda shocked that a file sharing app wouldn’t have rudimentary file permissions as the first thing it does, not in version 15.

I’ll see what I can do. Thanks

I haven’t played with 15 enough to go live. Documentation has been getting better, but still generally tells admins how to turn things on and off, but doesn’t say much about what the expected behavior is. The result is new users and admins upgrading have to test to learn what to expect.

Privilege based security is a good example.

If I share a folder with a group and grant create and edit privileges. Then I share the folder with a user and grant reshare privilege. When the user is a member of the group, does the user have just reshare privilege granted to user, just create and edit privileges from its group membership, or all three privileges? Developers and long term users know what to expect. New users and users upgrading and testing don’t know whether behavior they see is expected or error. So documenting expected behavior for release should greatly enhance beta testing and usability.

Also:

  1. It appears that sharing privileges set by administrator in settings apply to all users. Is there a way to handle this with an override at the group or user level? Is there a reason an admin might want to do that? What should I expect as behavior when I configure those settings?

  2. While I love the rule based concept of Files Access Control app, it seems contradiction in a secure system to have to deny access rather than starting from universal denial and granting access. But maybe I am missing the point that access was already granted through a group or a share and Files Access Control is just creating exceptions.

  3. I learned the hard way to worry about logging in as different user to create a persistent file share. That is documented, but it would sure be nice to have a Persistent Share setting that changes ownership to a system admin controlled internal user.

1 Like

I have the same use case and need to migrate a directory structure used by some team using classic ACLs. Interested in sharing your experiences?

From my limited research yet, that use case seems best supported with Nextcloud 16+ because it has ACLs for group folders. Do you use them as well and have some experience to share or am using a totally different solution?

Thanks!