Sharing Outside Groups

We have a number of clients on our NextCloud - small businesses with a few employees - and I’ve created individual groups for them, so that, with the “restrict sharing to group” option, they are isolated from one another.

So that, from their perspective, it’s as if they’re the only ones using the cloud and they only see others in their own group in the contacts menu and such.

Which is great and exactly what’s needed.

But there might sometimes be occasions where, while not undermining the group isolation, there is a call to share outside one’s group.

For simple example, I’m an admin on the NextCloud instance and so it would be useful if they could temporarily defy the group isolation to contact me for support, or that I could temporarily defy group isolation to share a file with them - e.g. a copy of the NextCloud user manual, say.

The way I envisage this happening is that you can refer to another user account outside your group in the same way that you can do federated cloud links.

That is, presuming my user account was called “admin” on the “cloud.example.com” NextCloud server, then any user - be it on the same or remote cloud - could refer to this account as “admin@cloud.example.com”.

Kind of like, I guess, an “absolute pathname” to any user account on any instance.

Including to user accounts that are on the same cloud but in different groups, so that we could still benefit from group isolation - yet you can temporarily defy this to share between different groups on the same cloud, by referring to them with their “absolute name” of “user@cloud.instance.com”.

Because, basically, the group isolation is good. But, as an admin, there are sometimes occasions where I need to share or communicate beyond my own group - to support our clients - and it’d be good to be able to do things in the way I described. To keep group isolation, but allow it to be by-passed - and in basically the same way that you’d share with a user on a completely different instance (or, put another way, that the federated cloud sharing doesn’t actually care whether the account is on the same instance or not - because users should not need to know or care about this, and it should behave that way for them too).

Hi,

I’m just thinking: wouldn’t it be feasible to add the admin user to every group? He would then be the bridge for all users to a different group:

• share with admin
• add comment as request to re-share with specific user/ group
• admin re-shares as requested

Well, yes, this is a possibility.

In fact, my current “work around” solution to this issue has been to create an extra temporary group and then add myself and those I want to share / communicate with to this group and then use this temporary group as a “bridge” between accounts.

But while this works, it’s a PITA. Manually creating a temporary group, adding users to it, then undoing it all afterwards.

And, really, having the admin be a member of all groups would just be a means of automating this process.

The reason why, though, I’ve suggested something a bit more than that is that this issue doesn’t necessarily only affect admins - though they’ll meet it more than most - what if, say, one of the small businesses on my cloud wants to share / communicate with one of the other small businesses?

So I was trying to think of a more generic solution that would allow this to work for everyone everywhere. And, well, the idea that your federated cloud ID can work everywhere - be it local or remote - would not only do this, but would also bring some consistency. Why should any user need to know whether someone else is or isn’t on the same instance as them? They should just be able to use the federated cloud ID - as the global unique name of any account - and then it’s up to NextCloud to sort out the details of whether this is a local or remote thing.

This would be a generic solution that should fix it for everyone, I feel, as well as for the admin.