Knowledge Center

Assign Shared Folder Permissions

You can specify which users or groups can access, view, or modify a shared folder and its contents. The access permissions of shared folders, as well as individual files and subfolders, can be customized for each user or group.

Windows ACL:

In DSM 5.0 or later version, the access permissions of shared folders are based on Windows ACL by default. Newly created shared folders implement the permissions settings of Windows ACL, which also allows for customizing the permissions of individual files and subfolders. In addition, permissions can be customized via File Station or File Explorer in Windows.

The following shared folders cannot use the Windows ACL permissions management system: photo, satashare, sdshare, surveillance, usbshare.

Note:

  • Users' personal home folders are located under the homes folder. Because ACL works on a basis of permission inheritance, if you set NA permission for a user/group on homes, users will have no access to their personal home folder.

To edit permissions of a shared folder:

  1. Go to Control Panel > Shared Folder.
  2. Select the shared folder whose permissions you wish to edit. Click Edit.
  3. Go to the Permissions tab.
  4. Select one of the following from the drop-down menu:
    • System internal user: Assign permissions for default system users, such as the Anonymous FTP/WebDAV user. Before allowing anonymous FTP users to connect to a shared folder, you need to assign access permissions for this user.
    • Local users: Assign permissions for local users (including guest).
    • Local groups: Assign permissions for local groups.
  5. Tick or untick the appropriate boxes for each user or group to customize their access permissions for the shared folder:
    • Read/Write: The user or group can access and make changes to the files and subfolders in the shared folder.
    • Read only: The user or group can access the files and subfolders in the shared folder.
    • No access: The user or group cannot access the files or subfolders in the shared folder.
  6. Click OK to finish.

Note:

  • When there is conflict between the permissions assigned to the user and the group they belong to, the permissions are determined by permission level in the following order: No access (NA) > Read/Write (RW) > Read only (RO).
  • When creating a new shared folder, if the permissions for the users belonging to administrators group are set to No access, these user will only be able to see the shared folder at Control Panel > Shared Folder.

Customizing Windows ACL permissions

In addition to the settings described above, you can customize permissions further by following the steps below.

Note:

  • The following settings cannot be used with the following shared folders: photo, satashare, sdshare, surveillance, usbshare.

To customize permissions:

  1. On the Permissions tab, select the user whose permissions you want to customize. Tick anywhere in the Custom column.
  2. Do any of the following in the Permission Editor window to manage ACL permissions for the file or folder:
    1. User or group: Specify the user or group whose permissions you wish customize.

      2. Note:

      The options of Authenticated Users and SYSTEM in the User or group drop-down menu are created in order to match the privilege settings of Windows ACL. Their privilege scopes are as follows:

      • Authenticated Users includes accounts excluded from https and guest.
      • SYSTEM includes accounts in https and anonymous.
    2. Inherit from: For view only. View the information here to see if the permission is inherited (from a parent folder) or explicit (shown as None).
    3. Type: Choose Allow or Deny to grant or deny the permission to the user or group.
    4. Apply to: If you are creating a permission entry for a folder, tick the checkboxes to apply the entry to this folder, the folders (or Child folders) or files (or Child files) in this folder, or all files and folders contained in this folder (or All descendants).
    5. Administration: Tick Read permissions, Change permissions, or Take ownership to specify the user or group's access permission settings for the entry.
    6. Read or Write: Tick the checkboxes in these sections to modify the user or group's permission settings for the file or folder.
  3. Click OK.

ACL permissions could be categorized as follows:

  • Administration:
    • Change permissions: This controls whether a user can change the permission of the file or folder.
    • Take ownership: This controls whether a user has ownership of the file or folder.
  • Read:
    • Traverse folders/Execute files: This controls whether a user can run a program file.
    • List folders/Read data: This controls whether a user can read data in a file.
    • Read attributes: This controls whether a user can view the attributes of a file.
    • Read extended attributes: This controls whether a user can view the extended attributes of a file.
    • Read permissions: This controls whether a user can read the permissions of the file or folder.
  • Write:
    • Create files/Write data: This controls whether a user can change the contents of a file.
    • Create folders/Append data: This controls whether a user can add data to the end of a file.
    • Write attributes: This controls whether a user can change the attributes of a file.
    • Write extended attributes: This controls whether a user can change the extended attributes of a file.
    • Delete subfolders and files: This controls whether a user can delete a folder.
    • Delete: This controls whether a user can delete a file.

About permission inheritance:

ACL permissions are inherited from parent objects to child objects. For instance, if an ACL entry of the "sales" folder grants the "Read" permission to the user "Amy", then the ACL entry will be applied to all files within the "sales" folder (such as "annual report.xls"), allowing the user to open the files. Inherited permissions will be displayed in gray, whereas the object's own permissions (or "explicit" permissions) will be displayed in black.

Note:

  • You can only add up to 200 ACL explicit permission entries for a file or folder.
  • Windows ACL does not support ext3 file system. For users using ext3 file system, you need to create at least one ext4 or Btrfs volume to use Windows ACL permissions. This means that you have to format at least one drive and re-create a volume. Formatting Synology NAS will result in erasing all stored data and settings. Please make sure all your data is backed up before processing.
  • To define new permissions for domain users, make sure DSM and Windows clients are in the same domain.
  • When modifying permissions with Windows File Explorer, Deny rules applied to the Domain Admins group will be ignored.
  • For additional information about managing permissions or troubleshooting issues, refer to this article.