User access control questions!

I’m having some confusion about users and sharing, it seems when I create a new user they have access to everything. I would like to configure it so that the default is that nothing is shared, and I can selectively give them access to folders as needed.

Here’s a tricky part: I have an external storage with all my projects mounted (which in this case is a truenas dataset), so I need to give them access to one specific subfolder in that main project drive, but not the rest of the subfolders.

Hello,

They should not. This is by design.

When you create a new NextCloud User, that user get’s it’s own root directory and that directory isn’t shared with anyone else.

User 1 → Directory 1 (usual name is given by the user name)
→ Sub Dir 1
→ Sub Dir 2
→ So on
User 2 → Directory 2
User 3 → Directory 3

On a glance it may look all users are having access to same directory due to the default content. That content / demo files and directory structure get’s created for all users when you create any new user, but those contents are not in same directory rather copied into individual user directory at the time of user creation.

Thanks.

1 Like

Hi!

as @NaXal explains, every user created get the demo files package (so, they looks identical). Every new user home folder, by default, is private. No other users can access them.

To achieve your goal, i recommend “group folders” and advanced group permissions.

You can create a group of users and a group folder. Then, you can assign them the folder, and adjust advanced access per individual subfolders. The global permission policy in the group is allow. But you can, on every subfolder, deny access to a specific user (or many, even groups of them)

Example:
group1 - contains user1, user2 and user3
group2 - contains user4, user5 and user6
groupfloder1 (containing subfolder1, subfolder2 and subfolder 3) - assigned to group1 and 2
groupfolder2 (containing subfolder4, subfolder5 and subfolder6) - assigned to group2 only

The first access rule is implicit in the assignation of the groupfolder to the group (group2 dont gonna get access to groupfolder1)
inside every group folder, you can fine tune the access, allowing, ie, user 1 view/edit all, but user 2 only view subfolder2 and 3.
Even, you can deny access to groupfolder2 subfolder6 to the whole group1. No one in this group will be able to access to it, but group2 gonna have full access to it.

With this kind of structure, for sure, you can achieve your goal easily.

The other way to do the same, is via tags/groups filter and flow control (via block access to files flow) but, IMHO, this is unnecessary more complex.

3 Likes

Thank you both for the replies! I found out that the “available for” field in the external storage options was left blank. Not sure if I deleted it or if it’s like that by default, but once I set it to ncadmin the mounted folder disappeared from the other users until I shared it with them, as expected. So in other words, operator error.

Do I have to specifically create a group folder in order to share it with a group? What if I have an already existing regular folder on my mounted storage that I want to share with a group?
Currently, when I share a folder from the mounted storage, it appears that it’s actually making a copy for that user, rather than syncing it on my local storage. This is no good for working on a constantly changing project. Is there a particular way I need to share it? I need it to be able to sync with all the users computers via the desktop client.

Another issue, I can’t seem to be able to actually see other users as the admin. When I type the name of a user in the share field, I see only the name of a user which I previously chatted with. But not any of the new users I created. And those new users don’t appear in the Talk page, or in any other search bar.
The odd thing is, the users DO appear when logged in as a non-admin. So is there something about being logged into the admin that makes other users invisible? It would be an odd behavior if so, so I imagine I misconfigured something, but I have no idea what.

The sync process triggers every X time, so, until sync runs, you gonna see that some changes are not reflected in main storage. To verify all is working, you can force a sync (under settings, in the account section, menu “…”) to see if all is working properly.

Simply add admin group to the users group (or your admin user to it)

Thanks very much! I didn’t realize the admin had to be in the same group.

As for the file duplication thing, I believe the issue was that I did not enable editing when I shared it. I deleted the files from the user account and they remained on the main drive, which is what makes me think this was the problem.