March 08, 2022
Most modern file sharing platforms provide users with their ‘private’ space for documents. They can freely share individual files or folders whenever they want, controlling access rights if they want. When somebody shares files with them, these are added in their document list, usually with a little share icon or avatar of the owner. Users have the freedom to re-organize their own files, including the ones shared with them. This flat, user-centric way of sharing allows low-friction, direct collaboration within the organization but also across its borders as most solutions allow making documents or folders public. Users are empowered to make decisions on who gets to work with them how, without needing heavy oversight or top-down decision making. This is a better fit with the flexible, fluid demands of modern organizations. To ensure compliance, Nextcloud offers a rule-based file access control feature with Flow. Before this flat way of sharing, network filesystems would effectively be a single ‘drive’ shared with the entire organization. A single folder structure, where everybody often had their own little space (their home directory) and many shared folders and files. A major difference between the folder tree ruled by system administrators and the user-centric view is the use of access control lists (ACL’s) in the ‘old’ world.
In computer security, an access-control list is a list of permissions associated with a system resource. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation.In the world of files and file systems, “the privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute” a file. These ACL’s allow an admin to share a folder with all users while changing the access rights on sub folders and folders in those folders and so on. This makes it possible to have read-only access to a top folder, write access to a sub folder, read-only to a folder in there again and so on. This was a crucial feature to make the “single large shared drive for all organization members” model work.
Available for configuration are Read, Write, Create, Delete and Share permissions, each of which can be set to ‘inherit’, ‘allow’ or ‘deny’ for each user or group for each file and (sub)folder in a group share.
To set up a group folder with ACL’s, the administrator enables the Group Folders app, creates a group folder and selects the groups who should have access to it. Make sure the admin who has to set up the permissions is included. Then, enable the ‘advanced permissions’ setting.
In the Files app, go to the group folder and look at the sharing view. There will be a group folder permissions view, where you can specify permissions. Use the ‘Add advanced permission rule’ button to add a rule.
You now pick from a list of all groups and users who have access to the group folder and can then set the fine-grained permissions. Note that ‘inherit’ is default, and by removing the rule with the ‘x’ on the right you can return to the permissions inherited from the parent folder.
Users can see what their rights are, but not modify them, unless they are part of the users and groups who have permission to manage the ACL’s.