SMB Share Design Advice - granular shadow copies control

[ezekiel.incorrigible]

I'm designing the smb share for an office with about 50 user accounts each with various levels of overlapping access to different folders/datasets on the share. I understand that, if I configure a single share on the root dataset and then set the correct permissions on the child datasets, each logged-in user will only see the folders that they have the permission to read (?) - this is nice in that it gives the users an uncluttered view of the share. It would also be nice if I could allow every user to be able to 'roll back' ie. regress shadow copies / ZFS snapshots on their own directories without affecting others. However, I read in the docs (http://doc.freenas.org/11/sharing.html#configuring-shadow-copies) that "Datasets are filesystems and shadow copies cannot traverse filesystems. To see the shadow copies in the child datasets, create separate shares for them."

So is the only way to give every user the ability to independently roll back their own data by creating 50 different SMB shares? (I don't mind the labour involved although it is pretty tedious, it's more a case of not wanting to flood the 'network places' with clutter.

 

[Ericloewe]

if I configure a single share on the root dataset

Understand that that is a truly horrible idea. Do not ever share the top-level dataset via SMB, unless you want things to break. You can however do this safely by just sharing a non-top-level dataset.

each logged-in user will only see the folders that they have the permission to read

Yeah, I don't have a good setup to double-check that for you, but that sounds right.

So is the only way to give every user the ability to independently roll back their own data by creating 50 different SMB shares? (I don't mind the labour involved although it is pretty tedious, it's more a case of not wanting to flood the 'network places' with clutter.

You can script it with the API to make things more manageable. As for clutter, I'm pretty sure you're only shown shares you have read permissions for, so it shouldn't be too bad.

 

[ezekiel.incorrigible]

Understand that that is a truly horrible idea. Do not ever share the top-level dataset via SMB, unless you want things to break. You can however do this safely by just sharing a non-top-level dataset.

Good to know, thanks for the tip

As for clutter, I'm pretty sure you're only shown shares you have read permissions for, so it shouldn't be too bad.

Windows does appear to show all available SMB shares in 'network places' before you even attempt to log in to anything. guess it doesn't matter too much if the users find their share and map it to a network drive.