Group folders usage - a use case review

[moritzthecat]

How to use GitHub

• Please use the 👍 reaction to show that you are interested into the same feature.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Group folders usage - a use case review

Used setup NC 29.0.3 community on webspace, group folders 17.0.1.

First let me appreciate the work being performed on this important topic.

This post is the intend to review of an example workflow.
Please comment and suggest better ways to achieve the following requirements to create an easy to use and robust workflow:

• Share files with individual clients isolated from each other.
• Provide full access to internal groups as needed.
• Control of all access rights by client/internal folder/files.
• Tagging and commenting by clients with read only access.
• Folders within the tree only visible and accessible by internal own staff.

So far have tried following approaches:

• Share link -->no tagging nor commenting possible by clients.
• Guest account --> commenting possible but no tagging even if clients are given read, write and create permissions. Allow guests to add Collaborative tags to shared files guests#1052 (comment)
  Though very nice feature to whitelist usable apps.
• Inspired by this video https://help.nextcloud.com/t/group-folders-advanced-permissions-not-working/69788/16 the 3rd attempt is to use group folders, which is about this post to clarify further esp. the handling of access and inheritance of permissions.

Documentation and content read about group folders:

• https://github.com/nextcloud/groupfolders
• https://help.nextcloud.com/t/group-folders-not-sharing-properly/161639/8
• https://help.nextcloud.com/t/group-folders-advanced-permissions-not-working/69788/16

Issue with restricting group folder access

It took me quite some effort to find out this little but important detail from the group folders documentation that “Denied permissions configured for the group folder itself cannot be overwritten to "allow" permissions by the advanced permission rules.”

To explore in detail in this example the customer group is given read access only.

According to the documentation we then later cannot overrule to give specific customers write access within the directory tree.

So even if we add write access to the folder for a specific customer here

The customer cannot edit, because the group folder permission blocks this.

The workaround in our case an this example is that in group folder permissions we provide full access also to the Customer group and control the access permission later in the advanced settings.

With this knowledge the following workflow seems to give the desired result. But there are issues with this workflow and I would like to get feedback and suggestions on how to further improve.

Example Workflow Preparation

Setup groups that need access to the group folders.

In this example case (inspired by https://help.nextcloud.com/t/group-folders-not-sharing-properly/161639/8) we have three groups for access:

• Admins
• Internal users
• Customers

Setup of these groups and users for testing functionality is needed.

Setup Group Folder(S) in Administration settings

Go Administration settings

On lower left select Group folders

In Group folders setup Groups that need access to the Group folder.

Provide all rights to the three groups and set the Admin group to manage advanced permissions.

NC needs full access on group folder level and we can only limit access rights later if set; cf. above.

Populate the example customer-folder

Select files and then Group folders.

Then enter customer-folder and click on sharing option for this folder. The customer folder had been populated with two folders already.

At this point the customer folder has inherited the group folder access right and therefore customer group has full access.

The inheritance is not transparent at this stage as only dashed symbols are shown.

In next step we enable visibility for user online1, which shall be granted exclusive access rights from customer group for customer-folder1.

Select sharing for customer-folder1.

We further need to disable access for the customer group and set access rights for online1 as needed.

In this example we grant read only right.

In contrast to the guest app (https://github.com/nextcloud/guests), the customer with read only access can participate in tagging and commenting.

Of course now we can give more access right to the customer in case required.

Example with write + create rights, as shown in next picture.

We setup a folder selections, which is only accessible by internal and admin groups.

With this setup the customer cannot see this selection folder.

Current issues with this approach

Creation of a new customer files share takes quite some steps since rights cannot be inherited for this use cases. The required steps need to be made fully concentrated otherwise it is risky to open the group folder unintentionally for unauthorized access.

For the time of creation and adapting the new access right the share is visible and accessible for all other customers, because the read access right is always given through the group folder admin settings (write, share. delete).

Workaround: The name of the folder name must be changed after the access rights have been secured; this is GDPR relevant.

It is advisable to verify the newly created customer share using a dummy customer account.

We may need to setup a dedicated NC instance for this use case because in group folders we cannot limit the apps seen by the clients as provided by the guests app.

Hoping that I have overlooked something to further improve and make this or another approach usable to support this use case for use in a productive environment.

Suggestions

• Provide a template feature at group folder creation to fully define inheritance of access rights and not limited to write, share and delete. Include all rights (Read Write Create Delete and Share).
• Improve UX/UI display (transparency) of the inherited access rights. Display a special icon that shows the detailed inherited access right rather than a dash. E.g. grey symbol that shows the inheritance.
• Adjustable app access by groups like in the guest app.
• Clarify maturity of group folders as raised by What is the state of the "known issues" for groupfolders? #3010.

[jonasgarstick]

Thank you very much for your detailed description. Unfortunately, I don't think you have overlooked anything. That was exactly my criticism, which I also expressed to the Nextcloud (Enterprise) team at this year's Nextcloud Conference.