NAS Permissions

Shared Folders

Shared Folder Permissions

You can specify which users or groups can access, view, or modify a shared folder and its contents. The access permissions of shared folders, as well as individual files and subfolders, can be customized for each user or group.

Windows ACL:

In DSM 5.0 or later version, the access permissions of shared folders are based on Windows ACL by default. Newly created shared folders implement the permissions settings of Windows ACL, which also allows for customizing the permissions of individual files and subfolders. In addition, permissions can be customized via File Station or File Explorer in Windows.

The following shared folders cannot use the Windows ACL permissions management system: photo, satashare, sdshare, surveillance, usbshare.

Advanced share permissions:

Advanced share permissions offer an additional layer of control to manage the access permissions of shared folders. When enabled, users and groups can view or modify the contents of a shared folder only if the user or group has been granted both advanced share permissions and Windows ACL permissions (located at Shared Folder > Edit > Permissions).

Advanced share permissions are applied when a user accesses a shared folder via the following file services:

  • Windows File Sharing,
  • Apple File Sharing,
  • File Station,
  • FTP (incl. SFTP?),
  • WebDAV.

If necessary, you can place further restrictions on users when they access a shared folder via File Station, FTP, or WebDAV:

  • Disable directory browsing: Enabling this option restricts users from viewing the contents of the shared folder.
  • Disable modification of existing files: Enabling this option restricts users from moving, deleting, or modifying files in the shared folder. Please note users will still be able to view, download/upload, copy, or unzip the contents of the shared folder.
  • Disable file downloading: Enabling this option restricts users from downloading the contents of the shared folder.

Note

The above restrictions do not apply to users who belong to the administrators group.

The ‘homes’ shared folder

To make each users /home/ folder visible for its user, without allowing access to the parent /homes/ folder:

  • Open Control Panel
  • Select “File Sharing / Shared Folder”
  • Select the “Homes” shared folder.
  • Click the “Edit” button.
  • Select the “Permissions” tab.
  • Select “Local groups” from the drop-down list.
  • Select the “users” group in the list.
  • Click on “Custom” and allow as follows:
    • Traverse folders / execute files
  • Click the “OK” button
  • Click the “OK” button again.
  • Click the “OK” button again.

User Groups

Shared Folders

To edit a group’s access privileges to shared folders:

  • Select the group you want to edit.
  • Click Edit and Permissions.
  • Tick or uncheck the following privileges to assign access privileges for the group:
    • Read/Write: The group can access and make changes to the shared folder.
    • Read only: The group can access the shared folder, but cannot make changes to it.
    • No access: The group cannot access the shared folder.
  • Click OK to finish.

Note

When you encounter privilege conflicts, the privilege priority is as follows: No access > Read/Write > Read only.

Applications

To edit a group’s access privileges to applications:

  • Select the group you want to edit.
  • Click Edit and go to the Applications tab.
  • For each service, you can choose one of the following options: * Allow: The group can access the application. * Deny: The group cannot access the application. * Custom: Manage access privileges by IP address.
  • Click OK to finish.

Note

When you encounter privilege conflicts, the privilege priority is as follows: Deny > Allow. Not all packages and services support By IP access privilege settings.

User Profiles

With flexible user management options, you can create user accounts for individual members of your family or business. Creating users allows you to define and manage permissions for each person, such as shared folder access permissions, storage quotas, or bandwidth limitations.

User Home

Enable user homes to create a personal home folder for each user, except for guest. All users can access their own home folder via

  • CIFS,
  • AFP,
  • FTP,
  • File Station

Users belonging to the administrators group can access all personal folders located in the homes default shared folder. The name of home folder is the same as the user account. To enable the user home service:

  • Check Enable user home service.
  • If there are multiple volumes, select where you want the homes folder to be stored.
  • Click Apply.

Note

Once the local user home service is disabled, the domain user home service will also be disabled concurrently.

Shared Folders

On the Assign shared folders permissions page, choose what shared folders the new user can access by modifying his access privileges. Privileges priority is as follows: No access > Read/Write > Read only.

  • Preview: This column displays the user’s actual shared folder access privileges, according to current settings and groups to which the user belongs.
  • Group permissions: This column displays shared folder access privileges assigned according to the user groups to which the user belongs.

Applications

On the Assign application permissions page, you can control which services the user can access.

File Services

User Root Directories

Click Advanced Settings, and check Change user root directories. This way, the selected users can only access the specified folders when they log in to DSM via SFTP.

To create a root directory change rule:

  • In Advanced Settings, check Select User.

  • Click Add.

  • In User or group, select whom this rule will be applied to.

  • Select which root directory will be available when the user logs in. Choose from:

    • User home: Users arrive at their home directory after logging in.
    • Other directory: Choose a shared folder as the root directory and click Select. Please note that the folder permissions for the user or group should be checked first. A user or group with insufficient folder permissions will be unable to log in.
  • Click OK.

  • After all rules are added, click Apply to save the rules.

Note

Rules are prioritized according to their positions in the list. Drag-and-drop to reorder the rules in the list.

Default UNIX Permissions

Click Advanced Settings, and tick the option to apply the default UNIX permissions when uploading or creating files and folders. Applied permissions are the same as permissions applied by the UNIX command umask. When this option is enabled, UNIX permissions are 644 for files and 755 for folders. When this option is disabled, UNIX permissions are 666 for files and 777 for folders. The default umask value is 022.

Note

For Windows ACL enabled shared folders (all shares excluding “photo” and shares on external drives), please run the chmod command on your Linux or FTP client to change folder and file permission types from Windows ACL to UNIX. Enabling this option might cause inconsistent permission issues between different protocols. To avoid inconsistencies, we suggest leaving this option disabled.

File Station