Giving access to a single folder inside a dataset to a different group

Status
Not open for further replies.
A

AndrewH

Dabbler
Joined
Aug 9, 2017
Messages
33
Hello,

I'm currently testing permissions so that I can setup my shares as I need for out office. We have a share called management, wherein all the important manager only stuff reside. Only certain users have access to that share.
Now, I want to create one folder/dataset, inside of management, where managers have access to read if needed, but is only accessible to another group of users. Not giving them access to the entire management share basically.

What I've tried so far:
I've created a new dataset inside the existing management one and made a windows share of it.
I've set the owner of this dataset to a different group
I've created a new user inside this new group

Basically, I want to have a folder for all the accounting stuff, that managers can still have access to, inside their main share, but not accountants to management shares.

My problem right now is, neither management users, or new group users can access that share. I've even tried to select a single user, that isn't inside the management group as the owner, to get access to the folder and it doesn't work.

I'm sure someone has already done this before, but I'm not able to find it right now. Any help would be welcome.

LE: The only setup that seems to work so far, is if the user is part of both groups. So management would be able to access accounting, and the accounting share. But someone who only is inside accounting, can't access the accounting share.
 
Last edited:
Pezo

Pezo

Explorer
Joined
Jan 17, 2015
Messages
60
AndrewH said:
I'm sure someone has already done this before
Click to expand...
I'm not so sure about that. At least with Unix permissions what you want to do isn't possible.
You need access to the parent folder to be able to access something (otherwise you wouldn't know it's there in the first place).
 
A

AndrewH

Dabbler
Joined
Aug 9, 2017
Messages
33
Pezo said:
I'm not so sure about that. At least with Unix permissions what you want to do isn't possible.
You need access to the parent folder to be able to access something (otherwise you wouldn't know it's there in the first place).
Click to expand...
I assumed that because I'm making a completely separate share through samba, that I can get access just to that folder, but it sure doesn't seem to work for now.

I've seen this done inside other companies, and that's why I thought I can do it with FreeNAS.

EDIT: Thank You Pezo! Thank you very much!
You pointed me in the right direction and I figured it out. On the main Dataset, with Unix permissions I just enabled the execute right for others. So people can browse the folders, but can't read anything. The accounting users, don't get access to management, but they now do get access to their accounting share. I'm going to test this out a bit more, but it seems to work now.
 
Last edited by a moderator:
Pezo

Pezo

Explorer
Joined
Jan 17, 2015
Messages
60
AndrewH said:
The accounting users, don't get access to management, but they now do get access to their accounting share.
Click to expand...
But they do have access to file names, right? They just can't read them?
 
A

AndrewH

Dabbler
Joined
Aug 9, 2017
Messages
33
nope, they can't even access the main share. They can only access their own share. You can use the same style of permissions to create an "empty" ftp, that still has files inside it. Without read rights you can't list the contents, but you can go to a location if you already know the exact path.

We use this style of FTP permissions to share files with clients, but no individual client can see the contents of the ftp.

Edit:
Here's what Execute does to folders:

Execute
Executing a directory doesn't really make sense, so think of this as a traverse permission.

source
 
Last edited:
Artion

Artion

Patron
Joined
Feb 12, 2016
Messages
331
Best practice in permissions tell that for every share/folder/dataset you create two groups, a rw and ro one (ex. mngmt_rw and mngmt_ro) and assign permissions accordingly. So you need only to put the users on the apropriate group according to the access they need.

On SMB shares on FN after the root share you can create other folders in Windows and use a root account (or any user with rw access to the root share) to change permissions in the Security tab of the folder properties according to your needs.

Hope this helps.
 
Last edited:
Pezo

Pezo

Explorer
Joined
Jan 17, 2015
Messages
60
AndrewH said:
nope, they can't even access the main share. They can only access their own share. You can use the same style of permissions to create an "empty" ftp, that still has files inside it. Without read rights you can't list the contents, but you can go to a location if you already know the exact path.

We use this style of FTP permissions to share files with clients, but no individual client can see the contents of the ftp.

Edit:
Here's what Execute does to folders:

Execute
Executing a directory doesn't really make sense, so think of this as a traverse permission.

source
Click to expand...
Didn't know that, makes sense though.

Artion said:
Best practice in permissions tell that for every share/folder/dataset you create two groups, a rw and ro one (ex. mngmt_rw and mngmt_rw) and assign permissions accordingly.
Click to expand...
But the share/folder/dataset, let's call it object... but the object can only belong to one group, right? How do you assign two groups?
Sorry for the many questions, I don't have a FreeNAS setup to play with currently.
 
Artion

Artion

Patron
Joined
Feb 12, 2016
Messages
331
Pezo said:
but the object can only belong to one group, right? How do you assign two groups?
Click to expand...
Yes it belongs to only one group (lets say wheel/root group) but the owner can assign access permissions to other groups/users. So you have the owner (the admin/root group) and two other groups, rw and ro. Any time you need to give a user access to that share you only need to add that user in the appropriate group, rw or ro. Thats it.
 
A

AndrewH

Dabbler
Joined
Aug 9, 2017
Messages
33
Artion said:
Yes it belongs to only one group (lets say wheel/root group) but the owner can assign access permissions to other groups/users. So you have the owner (the admin/root group) and two other groups, rw and ro. Any time you need to give a user access to that share you only need to add that user in the appropriate group, rw or ro. Thats it.
Click to expand...

I would definitely like to give RO or RW rights to users, but how exactly do you set this up with FreeNAS? In the backend you can only select one group or one user to be the owner of that particular dataset. I don't remember seeing an option to add more groups/users.
 
Last edited by a moderator:
Pezo

Pezo

Explorer
Joined
Jan 17, 2015
Messages
60
Artion said:
Yes it belongs to only one group (lets say wheel/root group) but the owner can assign access permissions to other groups/users. So you have the owner (the admin/root group) and two other groups, rw and ro. Any time you need to give a user access to that share you only need to add that user in the appropriate group, rw or ro. Thats it.
Click to expand...
You're talking about Windows permissions, right? Because with Unix permissions there's only ever one group and one user.
 
Artion

Artion

Patron
Joined
Feb 12, 2016
Messages
331
Take a look at this. It tries to make things clear. This also can help.
 
Last edited:
Pezo

Pezo

Explorer
Joined
Jan 17, 2015
Messages
60
Thanks for the links, this clears up a lot.
 
Status
Not open for further replies.

Similar threads

D
Group permissions are being rejected.
Replies
2
Views
1K
dirfiler
D
tauronux
  • Poll
Recommended way of setting different permissions to folders inside SMB shared Dataset + Access Based Enumeration?
Replies
3
Views
3K
tauronux
tauronux
K
  • Locked
Explain Permissions Please
Replies
2
Views
2K
cbray
cbray
DarkCorner
Incorrect rights nesting
Replies
0
Views
386
DarkCorner
DarkCorner
A
Permissions for directory inside dataset
Replies
5
Views
1K
Nick2253
Nick2253
Top