Sunday, April 3, 2016

Setting up folder permissions on a Synology Rackstation using DSM 5.2

Contrary to much of the information out there, setting up folder-level permissions on a Synology DiskStation or RackStation is not actually too hard.

Apparently previous versions of DSM didn't actually support this, or at least, not very well.  You could only set user access to an entire shared folder (root folder) but not to the subfolders within it.  (Unless, maybe, you knew your command-line interface (CLI) or had Windows Active Directory capabilities.)  But DSM 5.2 seems to support it OK.

Note that DSM uses the term "Shared Folder" to refer to the root of the shared volume.  Many people would refer to this as a "root folder" or a "shared volume", but Synology has chosen to call it a "Shared Folder".  (Awesomeness....)

You can obviously set up different Shared Folders (root folders) for various purposes, if you want to.  Some people are in a situation where this doesn't work.  Like, maybe, you want to share your files with various users - which is kind of the purpose of a file-sharing appliance, hm?

I'm assuming you have the Shared Folder, subfolder(s), and user(s) actually created.  If not, go do those first.

Also - hopefully obviously - if the user in question is an admin user, they will have full access to everything regardless of what else you do.  So the user has to NOT be a member of "administrators".

Here's what I had to do on my RS2416RP+ running DSM 5.2-5644 Update 6.  I assume it works on any Synology appliance running DSM 5.0 or above, but obviously have not checked that.

-  In Control Panel / Shared Folder, give the user in question at least "read" access to the Shared Folder, which is what most of us would call the root folder.  You can go one of two ways:

  -  If you prefer they have write access to nothing except what you explicitly turn ON, set their access to "read".

  -  If you prefer they have write access to everything except what you explicitly turn OFF, set their access to "read/write".

-  Go to File Station.

-  In File Station, navigate to the subfolder in question.

-  Right-click on the folder, select "Properties".

-  Select the "Permission" tab. 


IF all the permission controls are annoyingly grayed out:

-  Select "Advanced options" and click "Make inherited permissions explicit".


IF the user you are interested in is not listed in the resulting list of users:

  -  Click "Create".

  -  Click the down arrow on "User or group".  Select the user in question.

  -  Proceed as listed below.


-  If not already set, set "Inherit from:" to "None".

-  Set "Type" to either:
  -  "Allow" to enable the selected permissions, or
  -  "Deny" to disable the selected permissions.

-  In the bottom "Permission" box, check all of the permissions that you want to allow or deny.

-  Hit "OK".

And - yay!  You've just set the subfolder permissions!  Giving specific users read, read/write, or no access to a specific subfolder within your Shared Folder.  Awesome.

I believe this works for groups as well.  Just substitute "group" for "user" in the instructions above.


-  You do NOT need to select the "Apply to this folder, sub-folders and files" box.  I'm sure this can be useful sometimes, but is not required here.  If you do check it, DSM will take a while to set the permissions for every single file.  I don't recommend doing this unless you have a clear and specific reason because it may have unintended knock-on effects for how permissions behave in the future.

-  If you deny read and write permissions, the subfolder should not show up in Windows Explorer on client machines. If this does not happen, check in Control Panel / Shared Folders that the Shared Folder in question has the "Hide sub-folders and files from users without permissions" option checked.  If that doesn't work, I don't know what else to try.

-  Inaccessible folders may, unfortunately, show up in other interfaces such as FTP.  Users who try to access it will see an empty folder, but the root folder name is still visible.  I don't know how to get rid of this.

1 comment: