Confused with privileges (Users, User groups, shared folders)

[LRATOZ]

Hi,

I've got 2 QNAP boxes: TS-453D and a TS-669Pro.
I've been using the TS-669Pro since 2012 and it has been extremely reliable.
I purchased the TS-453D last year so that I could use the older machine purely for backup.
Anyway, our life situation has changed. Due to the corona virus situation our son and girlfriend moved back in with us.
Before that I had access to my files wide open but now I want to keep some folders hidden to others.

So, I set up a couple of users and folders but I'm confused with the different layers of permissions.
Let me explain:
I've got following hypothetical users: Admin, A, B, C
I've got following folders: Root, Multimedia, Shared, A, B, C and the compulsory home, homes, web

I want to allocate following privileges:
Admin has R/W access to all
A has R/W to Shared and A, has RO access to Multimedia and No Access to Root, B and C, home, homes, web
B has R/W to Shared and B, has RO access to Multimedia and No Access to Root, A and C, home, homes, web
C has R/W to Shared and C, has RO access to Multimedia and No Access to Root, A and B, home, homes, web
I only need one user group. Let's call it LAN-group.

I've been watching Youtube videos from NASCompares, as there isn't much else available, but that makes me even more confused.
The NAP manual covers every topic possible but doesn't give practicle examples.
I am computer savvy but no IT-expert.
So, my question to the forum is: What would be the best strategy to set this up? (And keep it as simple as possible).
Many thanks in advance and I hope somebody will be able to provide clear instructions.
Have a nice day!
Luke
Melbourne, Australia

[spile]

The above is how I have my NAS setup. Different folders with different levels of permission for each user. What is the problem in implementing the strategy on your NAS?

[Moogle Stiltzkin]

i left mine as default most part. because the admin user should have access to everything.

it's when you create additional accounts should you begin lock those down further.

there is a setting for guest access. if you allow that, then no credentials will be asked, instead anyone on the network can then detect your nas on the network and access the shares. For security reasons, i do not allow guest access. I require credentials entered. So my admin account already requires this. for additional user accounts, they have to use their own credentials.

in shares you can designate which account users are allowed to access (detect these shares), read/write etc to those shares. this is another thing to setup.


there is info you can find online how this works

https://www.youtube.com/watch?v=eDicXy_ttg0

https://www.youtube.com/watch?v=vD_hziwGfo8



just be sure

1. you allow access to shares only if they should have access
2. you restrict if they are allowed to read, or write or both.
3. you decide if you allow guest access which requires no credentials or not. or whether you want to strictly only have each user have a login account which you can then keep track of better
4. after modifying permissions, TEST THEM. does it work as you configured it? always verify

you don't want people seeing shares, or accessing them, or deleting stuff they should not be having access to. that is your goal

[Moogle Stiltzkin]

as for the default shares created by qnap, there is an explanation about that
viewtopic.php?t=88997#p391961

viewtopic.php?t=102673#p459681


things like home/homes i don't even use them. i create my own shares and use those instead. that said, you shouldn't delete those default shares qnap creates. you can just simply ignore.



there is also a network recycle bin. i didn't want that so i disabled it and cleared recycle bin to regain any space. i use snapshots as a replacement for recycle bin, or refer to my backup.

[OneCD]

as for the default shares created by qnap, there is an explanation about that

Although, I recently noticed (in QTS 4.5.2 at-least), the only default shares are 'Public' and 'Web'.

[Moogle Stiltzkin]

hm.... the next time i reinit, i'll pay attention to these changes o-O;