Please read following document, which describes how to set up access to files and directories on your NAS (ACL -Access Control List):
I. Deny access to Directory for (group) everyonea) Create new folder or select one of yours folders (you must by owner or superuser to set ACL permissions)*
b) Go to "directory properties" (right mouse click->properties on directory)
c) Select the tab "security"
d) Choose the group "Everyone"
e) Click Remove button - Group Everyone will not by removed but all permissions but group don't have permissions*.
g) Apply
Now access to this directory is denied for everyone else than you. *In Open-E NAS ACL permissions have always minimum owner user, owner group and everyone group.
II. Allow full access for group "WORK" to this Directorya) Make sure that group WORK is created
b) In security window click Add button
c) Select group "WORK" (Advanced->Find Now will show you all users and groups) and click OK
d) Enable Full Control in Allow column
e) Apply
III. Set only read permissions to file for everyonea) Create new file (you must by owner or superuser to set permissions)*
b) Go to permission window
c) Select everyone group
d) Leave only permission for Read in Allow column
E) Click "Apply" button
f) Make the same for your group and your user
Now everyone (besides you and your group) have only Read permissions to this file.
IV. Changing owner for directorya) On Open-E web interface go to resources->shares
b) In set Superuser function select your user and restart connection (or wait about 15 minutes)
c) Go to directory/file properties (right mouse click->properties on directory)
d) Click "Advanced" button
e) Select Owner tab
f) Click "Other Users or Group" button and select user that will by new owner
(Advanced->Find Now will show all users and groups). Click OK**
g) Select User from list and click Apply and OK
h) Click OK and reopen this window to refresh owner
V. Allow full access for user "BIG BOSS" to this Directory
a) Make sure that "BIG BOSS" exists
b) In security window click Add button
c) Select user "BIG BOSS" (Advanced->Find Now will show you all users and groups) and click OK
d) Enable Full Control in Allow column
e) Apply
VI. Allow read access for group "COMPANY" to this directorya) Make sure that group "COMPANY" exists
b) In security window click Add button
c) Select group "COMPANY" (Advanced->Find Now will show you all users and groups) and click OK
d) Enable Read&Execute in Allow column
e) Apply
VII.Make readily directory with full access for subdirectories for group ALL (using inheriting permissions)a) Create folder "ROOT"
b) Go to security window
c) Remove Everyone and Your group
d) Click Advanced button and then Add in Advanced window
e) Select ALL group and click OK
f) Change "Apply onto" to "This folder only"
g) In permissions leave only "Traverse Folder / Execute File" and "List Folder / Read Data". Click OK
h) Click once again Add button and add ALL group
i) This time select "Apply onto" to "Subfolders and files only" (this will by the inherited permissions)
j) Select Full Control and OK
k) Apply for Save permissions.
With those settings users from group ALL can't remove "ROOT" folder and can't crate/remove any folder or file in this folder, but any file or folder will by created with inherited permissions that allows to create files and folders/change them and remove them. Example: File /ROOT/some_file.txt can by changed but can't by removed
Directory /ROOT/directory can't by removed but users from group ALL can create folders and files in this directory.
File /ROOT/directory/my_file.txt can by removed and changed by group ALL (if inherited permissions wasn't changed)
VIII. Inherited permissionsIf folder or directory have inherited permissions then this permissions will by seen in security windows as checked grey checkbox and in advanced windows you can see more details - like from exactly this permissions are inherited. In subfolders permissions that are inherited can by changed by subfolder owner.
IX. UNIX Rights in Windows:Rights in folders: Rights - - x r - - - w - r - x r w - - w x r w x
Traverse Folder / Execute File X X X X
List Folder / Read Data X X X X
Read Attributes X X X X X X
Read Extended Attrributes X X X X
Create Files / Write Data X X X X
Create Folders / Append Data X X X X
Write Attributes X X X X
Write Extended Attributes X X X X
Delete Subfolders and Files X
Delete X
Read Permissions X X X X X X X
Change Permissions X
Take Ownership X
X. Example use of ACL permission in a small company:The company has 10 users Name; Group; Position; Rights
Chris; Firma; Director; All rights for everything
Robert; Firma; Manager; All rights for everything besides Directors home directory
Jennifer; Firma; Secretary; Read access to "DOCUMENTS" directory
Clint; Firma; Entwickler; Main Developer; Read and write to "DEVELOPERS" directory read and write to "CHANGES" directory
Brad; Firma; Entwickler; Entwickler Read in "DEVELOPERS" Read and write in "Changes"
Johnny; Firma; Entwickler; Entwickler Read in "DEVELOPERS" Read and write in "Changes"
Tom; Firma; Entwickler; Entwickler Read in "DEVELOPERS" Read and write in "Changes"
John; Firma; Grafiker; Graphic Artist Read in "GRAPHICS"Read and write in "Changes"
Ben; Firma; Grafiker; Graphic Artist Read in "GRAPHICS"Read and write in "Changes"
Bill; Firma; Cleaner; Only access to his home directory
First create users and groups in Your Domain:1. Run Menu Start->Programs->Administrative Tools->Active Directory Users and Computers
2. Click with right mouse button on your domain name and select New->User
3. Enter all necessary fields to create user Chris.
4. Create all users (back to point 2).
5. Click with right mouse button on your domain name and select New->Group
6. Create groups: Developers, Graphics, and Company.
7. Add users to groups - click with right mouse button on group Developers. In Members tab click Add. Add users to groups (groups Company, Developers, Graphics) what they
Connect to windows domain:1. Go to Open-E NAS web interface Setup->Nas server setup
2. Select ADS or PDC (deepens on your system - if you have NT4 Domain or Windows 2003 (with no Kerberos*** fix) then select PDC, else select ADS).
3. Enter your domain name - in PDC this will by the short domain name (example. COMPANY) in ADS enter full domain name (example. COMPANY.COM.DE).
4. Enter your domain/Kerberos server IP
5. Enter name and password of an existing Administrator user account on your domain.
6. Click Apply to join into domain.
Create shares and set permission:1. Create a share Company (Open-E NAS web interface->Resources->Shares).
2. Set permissions for all or select only Company group.
3. Go to share
\\YOUR_NAS_SERVER_NAME\\Company4. Create folder "WORK", "HOME" and "FORALL".
5. Set permissions of folder WORK - right mouse click->properties->security.
6. Deny access for everyone (point I), change owner to Chris user (point IV) with full access and add Robert with full access.
5. In folder WORK create folder DEVELOPER, GRAPHIC, DOCUMENTS and CHANGES.
6. Change owner of DEVELOPER directory to Clint (with full rights). Add group Developers with read access.
7. Add group Graphics with full access to directory GRAPHIC.
8. Change owner of CHANGES directory to Clint (with full rights). Add group Graphics and Developers with full rights.
9. Add secretary to DOCUMENTS directory with read access.
10. In home directory create for each user own private directory, change user (make that owner and directory name are the same). Remove access for Company group (point I).
11. Add group Company with full access to directory "FORALL".
** This function is available on Windows 2003; in other Windows You can select only your user.
If you use SUPERUSER all files and directories will by created as local ROOT user.
*New directories with no inherited permissions haven't ACL permissions at start - they have only standard UNIX permissions 0777 (Windows2003 shows - in normal view on security window - that special permissions are enabled and full access in advanced view. Windows2000 don't show any permission in normal view - only in advanced). To enable ACL for this directory first select Full Access for everyone and click Apply, then do this same for your group and user. Directories created in this directory should have ACL permissions inherited from parent.
If permissions are inherited then ALLOW column is grey. To disable permission just use Deny column.
If you set ACL permissions always check that setting permissions for some group don't change permission for user or for everyone for some connections between those accounts. Windows 2003 handle much better with that as Windows 2000.
***Kerberos is server for distributing security keys. Normally is also on the domain but it can by on some external server. In Windows 2003 this server is ignoring specify key type, and authorisation work only with entering share be IP not be NAS name.