File Permissions, Recommended Setup Advice

[HandsomePaul]

Hi guys, New to FreeNAS but figuring things out pretty well, my only issue is with the file permissions, specifically on the datasets.

So I have this setup for a testing environment built as a mock small business office with multiple users and departments, everyone in sales would have access to just the sales folder, finance only finance folder, management would have access to every folder except root IT stuff.

I feel I understand the role of groups as they can technically be linked 1 to 1 with the departments themselves and the users within those groups being Identities of the users who login with them.

My question is if I set the group to its corresponding department then what is best practice when it comes to setting the "Owner" of the datasets... Should I leave that as root or set it to the I.T Admin who setup the dataset... If I set the owner to one person in say 'John' in the 'Sales Group' does 'Mary' in the 'Sales Group' still have access? Will the SysAdmins or 'Management' still be able to access?

Maybe my design is off and I need to retool the whole thing but figured this would be a good place to get ideas.

Thanks for any thoughts

 

[kdragon75]

I would set the owner as root. For any more complex permissions such as a group that is read only and a group that is r/w, you will need to use ACLs. If you are using SMB and set the permission type on the data set as Windows, you can manage the permission from Windows by right clicking -> properties -> security tab. For a larger environment, you would want to have a directory service like active directory and have FreeNAS authenticate users/groups against that.

 

[HandsomePaul]

Okay so I started playing around with the ACL's instead, my admin account works but whenever I login to my shares and I'm able to add my lower privilege 'backup_users' account and required permissions to the share but whenever I then try to access the share with that low privilage account I can login but then tells me I don't have privileges to access the share? The dataset for this share is set to the windows default permissions 'root' 'wheel' as you suggested.

I'm not sure what I'm possibly doing wrong, do I need to add an aux. group to my 'backup_users' trying to give that one user access to only that one share with only read/write with no ability to change permissions.

Been working on this for days on and off and spinning my wheels a bit, thanks.