Recommended way of setting different permissions to folders inside SMB shared Dataset + Access Based Enumeration?

[tauronux]

Hello there,

i have a simple TrueNAS Core installation with one Dataset and SMB share for 16 Users - all members of a group with R/W permissions. All clients are using Windows computers and have the shared folder mapped as a network drive.

Now i need to create a new folder inside the SMB share, with access permissions for only 5 out of the 16 users and move some folders and files, which are already on the SMB share, into this newly created folder. On a Windows Server share i would normaly do it by creating a new security group of users, creating the folder inside an access based enumeration - enabled share (to show it just to the group of users with permissions to access it) and setting up the permissions for that folder accordingly. IMO it's the most convenient way of doing it, as i don't have to create separate shares, mapping drives etc. And the data are all in one place.

But with TrueNAS i feel like setting permissions from a Windows client machine is not the way it was meant to be done so i'm torn between these 2 options:

1. Creating a new Dataset inside of the existing one and giving R/W permissions only to a newly created group of users from TrueNAS web-interface
2. Creating a new folder and setting permissions from a Windows client machine (with a new Group of users created on TrueNAS of course)

How would you do this considering also Access Based Enumeration (ABE) and possible future disaster data recovery?

Bonus question about ABE:
I don't have it currently enabled for the shared folder. If i enable it, could it possibly cause any conficts after moving some of the currently existing files and folders inside of the new one (basically moving folders with R/W permissions set to all users, into a folder with restricted access for just a couple of users)? If so, would you recommend creating a separate dataset and SMB share instead?

Thanks in advance for any suggestions.

 

[tauronux]

Not even one vote? Oh common

 

[Johnny Fartpants]

I manage most/all my permissions for SMB shares on TrueNAS via a Windows client as I just find it easier. I use groups in Active Directory and apply those groups to datasets or even folders within the datasets. I create modify groups and transition groups for each dataset/folder that requires a different set of permissions. Modify has modify access to the folder and all sub-folders and transition group has read and execute for just that folder only. I then nest the groups making both modify and transition a member of the parent transition group.

If I have a folder that only some people need access to but a lot more have access to the parent folder I simply disable inheritance on that folder and add those specific users to the new modify permission group for that folder. Even if they are not members of the parent folder they still gain access via the nested transition groups without being able to see any data within the parent folders.

I have run this setup for many years with thousands of AD groups and it works very well.

Hope this helps.

PS: I should add that I use AD for authentication so don't create users on TrueNAS.

 

[tauronux]

I manage most/all my permissions for SMB shares on TrueNAS via a Windows client as I just find it easier.

So that's one vote for setting it up from a Windows client. I don't have an AD on this particular site just yet, but your solution in general, seems really easy to follow. Thanks for sharing!