Unexpected behaviour of group folders advanced permission

🍱 Features & apps groupfolders
,
1

Hello!

We are an open community with location groups like Germany and United States, and working groups like Tech and Finance.

We want to build a folder structure that contains all folders that are used by the above teams. Everyone in the community should have read permission to the the entire folder structure, but only write/delete/share permission to some sub folders, based on the groups they are part of.

We are trying to build a folder structure that looks like this

Root Folder:

  • Global Folder

Sub Folders:

  • Germany
  • United States
  • Tech
  • Finance

The groups we have made to control the permissions are

  • Everyone
  • Germany
  • United States
  • Tech
  • Finance

Our steps to set this up

  1. Create “Global Folder” in the group folders panel under Administration settings.
  2. Add the following groups to the group field for the group folder "Global Folder"in the same panel:
    • Everyone
    • Germany
    • United States
    • Tech
    • Finance
  3. Remove Write, Share, and Delete permissions.
  4. Give advanced permissions to a user named “cloud” who is already in the groups Everyone, Germany, United States, Tech, and Finance.
  5. Log in with user “cloud”.
  6. Setup the advanced permissions for each sub folder like this:
    • [Group Name] Group | Allow: Read, Write, Create, Delete
    • [Group Name] Admin | Allow: Read, Write, Create, Delete, Share

Expected behaviour

  • Users in the respective groups and admins of the respective groups have read permission in the root folder “Global Folder” and all sub folders within.
  • Users and [Group Name] Admin user of respective groups have write and delete permission for their respective [Group Name] sub folders.
  • [Group Name] Admin user of respective groups has share permission for their respective [Group Name] sub folders.

Experienced behaviour

  • Users in the respective groups and admins of the respective groups have read permission in the root folder “Global Folder” and all sub folders within.
  • Users and [Group Name] Admin user of respective groups DO NOT have write and delete permission for their respective [Group Name] sub folders.
  • [Group Name] Admin user of respective groups DO NOT have share permission for their respective [Group Name] sub folders.

Our Nextcloud version is 16.04 and Group Folders app version is 4.1.5.

Is this a bug in the group folders app? Or is our approach incorrect?
Any help is highly appreciated.

2

I found a solution to my problem by reading through the documentation and thinking of ways to work around the “limitations”.

As was pointed out by @putt1ck in another thread, it works as designed.
In the documentation it states the following:

Denied permissions configured for the group folder itself cannot be overwritten to “allow” permissions by the advanced permission rules.

Therefore, the permissions in the group folder need to be set to “allow” if we want groups to be able to use them down the folder tree line.

To accomplish what we seek, we need to set the advanced permission rules on the group folder itself, and deny all but read permissions for all groups. This way you accomplish the same as denying permissions in the group folder settings panel. Groups can now be allowed to write/delete/share with advanced permission rules down the folder tree line in their respective sub folders.

Hope this comes in handy for others in the same situation as we are :slight_smile: