Subfolders permissions

Hi there,

I would like to know if I can share a subfolder in a top share with different permissions then the one defined first.

Example: If I create a Finance folder and share it for all finantial department is it possible to create a subfolder CFO where only the CFO can access?

Thank you in advance.

Hi,

This can’t be achieved with the sharing function itself. When a folder is shared, then users have access to all the files and sub- folders.
What you can do however is to use file access control.

  1. Create a user group “CFO” and add the CFO user to that group
  2. go to Server Settings -> Workflow and create a new tag CFO
  3. go to Server Settings -> file access control and create a new rule “CFO restricted access” with Rules:
    file system tag – is applied – CFO
    user group membership – is not member of – CFO
  4. go to the shared sub- folder which should only be accessed by the CFO and apply the tag “CFO”

Hi Schmu,

Thank you very much for your feedback.

Your suggestion works very well and as a strategy it will solve my problem

Even though that caused me another problem related to collabora. I cannot now edit online files within that folder using collabora integration. I think it is related to how collabora authenticates itself. Having said that do you know how that can be solved?

Thank you in advance.

Oh :frowning: I don’t use Collabora and have now idea how this integrated in NC in detail :frowning:

Does Collabora have its own user for NC? Or does it have a specific address from which it connects to NC?

Maybe this works:
file system tag – is applied – CFO
user group membership – is not member of – CFO
requesting remote address – doesn’t match IPv4 – <Collabora-Server-IP>

Maybe with Collabora integration there is also a new user agent selectable in the file access control. If so, you could also define:
user agent – is not – Collabora

Hope this helps somehow.

Schmu, that’s it!

The addition of that third condition make it happen. Simple but effective solution.

Thank you very much!

1 Like

I noticed that you can bypass the restriction by simple Downloading “Finance” folder.

I think that needs to be fixed

thats true,
there should be shring option same like googledrive,
where we can clearly see everything shared to whom?, in each and every subfolder and files of it.
so if nextcloud make sharing the same way, it would be more practical and safe to share.

You should also mention to create the tag as invisible (restricted is not working yet). Otherwise everybody with write permissions can see and remove the CFO tag and get access to the files.

Thank you very much for the approach but it would still be great to have the possibility to change permissions of subfolders. As far as I know file acess control can only block access and can’t restrict it unfortunately (e.g. read only).

If you download the top folder you will get the restricted subfolder too but no files in it (tested with 12.03).

@Jonas. I have just tested it with 13.0. You wrote: “…If you download the top folder you will get the restricted subfolder too but no files in it (tested with 12.03)…”. That is correct but it results in corrupted zip file (the downloaded top folder).

But this one is a more serious problem which defeats the purpose:

A user who doesn’t have access to that CFO folder can copy the top shared folder into his/her private folder and open that “restricted” sub-folder CFO in the private folder.

So it sounds like this file access “security” is pure obscurity in this case. Hm, sometimes I get serious doubts about enterprise readiness …

This is helpful with the current version I am using, Nextcloud 15. Though I run into an issue if I want to share a subfolder with more than one group using these rules. Maybe the logic is just beyond me at the moment but is there a way to share it say with a Creative group and an Editorial group but no one else?

It seems if I have two sets of rules in place as described, it blocks access given how the rules work since not all rules are true.

e.g. I have one rule group set up (File access Control under Settings) with User group membership > is not a member of > Creative and File System tag > is tagged with > Creative to block non creative group members but if I create a second rule group for Editorial, with the same rules, but replacing Creative with Editorial AND a folder is tagged with both Editorial and Creative, then neither group can view the files in the folder with both tags.