Trouble limiting subfolder access to users/groups

Goal: To use Synology Drive for users to access files on the NAS. Problem: Permissions work when users use Synology file access products AND when mapping a drive. But, permissions don’t have an effect when using Windows File Explorer so users can bypass the Deny Permissions.
Here’s my situation: Users need access to the folders designated for their department. But, some users shouldn’t be able to access some folders. For example: The Accounting folder contains subfolders “General” and “Financial.” The users in grpAcct_Lvl5 can only access the Accounting\General folder and all subfolders. I would prefer they not even be able to see the “Financial” folder. The users in grpAcct_Lvl9 should be able to see and access all folders within Accounting. I’ve set up the permissions and they work when accessing the folders through Synology tools. But, users can bypass permissions through Windows file explorer.

So when you say users can bypass the permissions through windows file explorer check a couple of things:

  1. All users are signed in with their own accounts (just in case, I have seen it before)
  2. Make sure that Advanced Share Permissions is enabled on the shared folders
  3. Make sure that SMB settings do not allow users to bypass shared folder traversals
  4. You can also select hide folders from users who do not have permissions

I would bet #2 is it

1 Like

I really appreciate your reply. #1 - Got it. User is logged in on her PC and is in the “restricted” group (which means she’s on to enter Accounting and preferably should only be able to see the “General” folder. #3 - I don’t see this “folder traversal” in the SMB settings, so not sure what to check here. #4 - “Hide folders from users…” this I already had set.
So, that leaves me with your “bet” #2 - I did Not have this (Advanced Share Permissions) enabled before. It is enabled now.
Results are interesting (all of these using File Explorer cause that’s just what they know and will use):
I mapped the share to N: Works perfectly! Sees General only.
Same from \SynDeviceName (or network).
From the Synology Drive icon added when a Task is setup: The user can still see the restricted folder “Financial” (as well as General) in Accounting but there is no cloud icon indicating it is not syncing. Also, if the user enters the Financial folder (which she can do) she sees no subfolders or files. So, I guess this is OK. Would still desire she couldn’t even see it but this definitely gets the job done.
Now, I can remove the Mappings and allow Synology Drive to handle the syncing and get the benefits of working from the users PC.
Thanks so much!

1 Like

Happy to help! I think you are able to edit the ACL’s without enabling Advanced share permissions, just never tested out to see what would happen!

1 Like

A couple of other thnigs:
1 - Sorry, what is ACL?
2 - I have another user who is over HR and also needs access to the Accounting\General folder (but is denied access to Accounting\Financial). This works great.
As a reminder, I’m using 1 share, CSCS Drive and controlling user access by folder.
She has access to her \HR folder under the same share.
I’m trying to move existing folders from her PC to the new Synology Drive share.
Here’s the problem:

  • when she copied Folder1, which contains several subfolders and files, to the HR folder, on her PC it looks like the structure gets copied but they don’t get synced. A hover message says “Excluded (not synced)”. It doesn’t sync given more time, either.
  • when she copies the same folder to her own Home, which is mapped to her PC as “H:” the files copy and sync.

Is this a permission problem, quota, …? btw, I added her to Administrators group just to see if that helped.

Thanks for your help!

forgot to mention that she can create a new folder within HR and it syncs. She can also copy single files/folders and they sync. I created 5 nested, empty folders and copied them, and they synced. So, this must not be a permissions thing, but quota, number of files at one time?