How to Setup Advanced Share Permissions on Synology NAS (Windows ACLs)

Поделиться
HTML-код
  • Опубликовано: 24 дек 2024

Комментарии • 27

  • @raybr1727
    @raybr1727 Год назад +4

    Been there done that in Windows World. Permissions management can be a runaway train as a user base grows from 10’s to 1000’s. You need to start with a good plan, good naming conventions, templates and of course backups and snapshots when things go wrong. Some people may think granular permissions are overkill, but when one of those 1000 users gets malware you don’t want them to encrypt every file in the company! Thanks for what you do, one of my favorite channels for home lab stuff in retirement!

  • @EARON
    @EARON 9 месяцев назад +1

    EDIT: I've included the clarification from Synology down below. Here's my original question/post that I've seen others wonder about as well:
    I can’t seem to figure out what precisely one stands to gain by enabling advanced share permissions given that I have the ability to set permissions on individual folders anyway by right clicking on a folder -> properties -> permission. (I’ve only tried this on a Mac when mounting over SMB so far, if that has anything to do with it)
    In what exact circumstances does one actually have to check the “advanced share permissions” box?
    What I’m stating to guess from the language in the Synology articles about this is that the advanced share permissions actually ONLY affect the shared folder itself(?), and the “regular” way of setting ACL permissions on files and sub folder by clicking into properties does actually not have any connection to “advanced share permissions” being turned on or off on the shared folder itself (other than the fact that permissions from the shared folder have to be actively “passed on” to whomever you want to grant permission to in advanced share permissions)?
    Maybe a better way of phrasing my current confusion regarding the above concept if permissions actively have to be “passed on” would be: Is it true that when enabling advanced share permissions, the permissions from the shared folder are in fact “filtered” down (instead of being additive, as my understanding is that things otherwise are in DSM)? Example:
    User 1,2,3 & 4 all have RW permissions to a shared folder. However, in the advanced permissions settings in the shared folder, only a group containing user 2&3 gets granted RW access. In this case, user 1&4 are actually “filtered” out, and will not have RW access (as they would have otherwise had if this was merely permissions in a folder and a sub folder in inside of the shared folder in question.)
    Is this correct? Is this the only point of enabling advanced share permissions?…
    Thanks for all your work Spacerex!🙏
    Response from Synologys support where i asked an almost identical question:
    Advanced share permissions provide a layer of control over the access to shared folders on your NAS, separate from the file and subfolder level permissions set through the properties menu. Here's a brief overview to help you understand their application:
    When to Use Advanced Share Permissions: Advanced share permissions are particularly useful when you need to manage access at the shared folder level more granularly. This is especially relevant in environments where multiple users or groups require different levels of access.
    How It Works: Enabling advanced share permissions allows you to set permissions that apply specifically to the shared folder itself. These permissions can then be 'passed down' to users or groups as per your configuration. It's important to note that these settings can override individual file and subfolder permissions within the shared folder, providing a more streamlined management approach.
    Example Scenario: In your example, where users 1, 2, 3, and 4 have read/write permissions to a shared folder, but only a group containing users 2 and 3 is granted read/write access through advanced permissions, users 1 and 4 would indeed be 'filtered out'. They would not have access despite the broader permissions set at the file or subfolder level.
    This mechanism allows for more precise control over who can access what within your shared folders, making it an essential tool for administrators looking to enforce specific access policies.
    EDIT 2 - Just further sharing my experience when trouble shooting and testing this out:
    I think I somehow in the beginning successfully managed to accomplish restricting individual access to certain folder for some users by setting permissions on the shared folder plus on the individual folder and subfolder levels, when mounting over SMB, without having Advanced Share Permissions turned on. For some strange reason it seemed to work the first time I tested it (I might have missed something there ofc), but then seemingly out of nowhere - as is also stated by the Advanced share permissions button - Advanced shared permissions seemed to be needed for permissions to work as expected when mounting over SMB; It was brought to my attention when a Shared Folder was mounted over SMB and a sub folder that wasn't suppose to show up was suddenly there with RW permissions over that SMB mount, all while the same sub folder wasn't visible via File Station when logged in as that user.

  • @geoffc7941
    @geoffc7941 Год назад +2

    Great tutorial. You really clarified the "Make inherited permissions explicit" option, thanks!

  • @brianhansen6906
    @brianhansen6906 Год назад

    Thanks for the video! I can’t count how many hours I spent messing with permissions trying to set up my nas. Idk why it was such a difficult concept for me, but it was. And I was finally successful. I wish I had seen this video before hand it would have made life much easier.

  • @jespinala
    @jespinala Год назад +2

    Sr, Many thanks for a great video. I was doing the process you suggested and it worked!! But afterwards I have noticed I have forgot to check "Enable advanced share permissions". So is this option not really needed to have one volume for multiple users with permisions per folder based? Or perhaps that is needed for windows users only I have tested in MAC only. I am using 7.2.1-69057.

    • @EARON
      @EARON 9 месяцев назад +1

      Very good question, I’m also curious. I can’t seem to figure out what precisely you gain by enabling advanced share permissions given that one has the ability to set permissions on individual folders anyway as per how Will shows at 12:23. But again I’ve also only tried this on a Mac when mounting over SMB
      @spacerex, in what circumstances does one actually have to check the “enable advanced share permissions” box? :)

  • @diegoescudero91
    @diegoescudero91 Год назад

    Hey! Keep up the good work!
    Any chance we will see Part 3 of the photography videos soon?

  • @maxbarko8717
    @maxbarko8717 Год назад

    Hi Will, thank you for all your help! It would help, if you could zoom into the DSM window you are showing as it will be easier to read.

  • @davidpeehikuru5039
    @davidpeehikuru5039 3 месяца назад +1

    You are my Synology MAN. Cheers. I've also just installed a new DS923+ but advanced permissions has been disabled in the setup so I cannot access that facility :-(.

  • @Emulives
    @Emulives Год назад

    I'm still having trouble with photo files on my Dsm. Some thumbs not appear in the folders. And is not in all stations. In Filestation and Photos, they always appear ok. I have to reboot to go back to normal.

  • @petersmith2960
    @petersmith2960 2 месяца назад

    So how does the new user access NAS on MacBook

  • @TheAllroth
    @TheAllroth Год назад

    Is there any youtube video on the problem with file and directory permissions changing when copying to/from a linux system? Also all files created have 777 permissions.

  • @dascorp1
    @dascorp1 11 месяцев назад

    Is it possible to grant permissions to subfolders? Ex. Share has many project folders, each with a subfolder, Finances, Documents, and Drawings. So executives have access to finances, but employees only have access to drawings and documents. Do we have to set it up for every project?

    • @SpaceRexWill
      @SpaceRexWill  11 месяцев назад +1

      this is exactly what this video goes over

    • @dascorp1
      @dascorp1 11 месяцев назад

      ​@@SpaceRexWill It's a manual and laborious process, then if we do it for every project subfolder. I believe shell script is the way to go; probably run directly on the NAS. Currently, I have a .bat script on PC, which generates a project folder with all subfolders in my main Projects folder. I wish it did automated permissions as well.

  • @flakieflake9616
    @flakieflake9616 3 месяца назад

    Everyone on these tutorials appears to think that because it's about a NAS, that is strictly all it can cover. Even synology in their DSM manual only cover the NAS itself and nothing else. You set up the NAS, but then don't go to show how the new or newly permissioned user gains access to the NAS from a remote computer. There appears to be not a single video tutorial on RUclips which shows how to set up the newly created user accound from the permissioned computer.

  • @4tusachaolam
    @4tusachaolam 7 месяцев назад

    Can you make a video how to delete main folder and account folder from terramaster nas

  • @Red_Snappa
    @Red_Snappa Год назад

    This is really interesting. One question though...what about the Basic three groups (admin, https & users)....why not just utilize those?

    • @mstrmnd23
      @mstrmnd23 Год назад

      Those groups are already used for other purposes. Admins have many additional administrative rights to the NAS. You wouldn't want to use this for basic file/folder permissions. I would consider it best practice to setup dedicated groups for file sharing. This allows you to provide explicit access to shares, without modifying permissions to any other areas of the NAS (application access, etc).

  • @robinmoret
    @robinmoret Год назад

    Hi Will and thanks for the video. Still I have one question : as permissions, permissions inheritance etc could be defined/ modified for each folder or file whatever the status of the checkbox "Enable advanced permissions", could you tell us the difference in behavior when it is not checked vs when it is ? Thanks

    • @SpaceRexWill
      @SpaceRexWill  Год назад +1

      So you should check it if you are going to be modifying the permissions. If you don't check it, and modify the permissions then I think the Synology apps will respect the permissions, but SMB will not.
      Its not a case that should exist, so I would check it if you customize permissions

    • @mstrmnd23
      @mstrmnd23 Год назад

      @@SpaceRexWill I'm not sure that's accurate regarding SMB.
      First, thanks all your videos! I reference them often.
      It seems like I have accomplished everything you did here, by only using regular DSM permissions. I have a share \\NAS\Private\Documents\WorkBackup. I have a dedicated user account setup, and have provided it read/write access to the WorkBackup folder, but only read access to the previous parent folders. By using the option to hide the folders the account lacks permission to, I can use SMB in Windows to backup my work computers to the WorkBackup folder with no access or visibility to any other personal folders except the parents themselves
      It does not seem to work the same as the way Windows uses share vs NTFS permissions, where share permissions are less granular, and NTFS permissions are done at the filesystem level. It seems to be geared toward specific use cases where you may want additional controls depending on the protocol used for access. According to Synology, Advanced Share Permission apply to Windows File Sharing, Apple File Sharing, File Station, FTP, and WebDAV. I think it's an additional layer of controls, but maybe should be avoided for the simplified use case you have presented.
      Let me know if you try the same setup with basic DSM permission. Maybe I'm missing something. Thanks!

    • @EARON
      @EARON 9 месяцев назад

      @@mstrmnd23 I managed to accomplish this as well with by only setting permissions on the shared folder plus on the individual folder and subfolder levels. For some strange reason it seemed to work the first time I tested it (I might have missed something there ofc), but then seemingly out of nowhere - as is also stated by the Advanced share permissions button - Advanced shared permissions seemed to be needed for permissions to work as expected when mounting over SMB; It was brought to my attention when a Shared Folder was mounted over SMB and a sub folder that wasn't suppose to show up was suddenly there with RW permissions over that SMB mount, all while the same sub folder wasn't visible via File Station when logged in as that user.

  • @IntoxicatedVortex
    @IntoxicatedVortex Год назад +5

    I have to say I'm not a big fan of Method 1 where by default people have access. Mainly because its easier to make a substantive mistake. With Method 1 an error will result in someone having access they shouldn't have access to. With Method 2 an error results in someone not having access that should. Additionally, with Method 1 the result of someone not telling you there's error is they have access to things they shouldn't… potentially for a very long time. With Method 2 you'll be told of an error in all of 5 seconds. And again, with Method 1 it is up to administrator to do validations of access to confirm they've done the right thing where as with Method 2 the employee will do the validation because you'll get an "I can't see…".

  • @GeekendZone
    @GeekendZone Год назад

    Excellent, we need a Promox tutorial from you ASAP 😊

  • @jdb6284
    @jdb6284 Год назад +2

    Perfect for hiding porn on the home synology

  • @BARANIKARUNAKARAN
    @BARANIKARUNAKARAN 7 месяцев назад

    Swamiji pls remove all my obstacle in business and other challenges , please be with us and help us to grow the business here in usa . Help us to manifest our wishes and dream to come true .