?i»?
Your IP : 18.218.223.84
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Files access control — Nextcloud 13 Administration Manual 13 documentation</title>
<link rel="stylesheet" href="../_static/" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/main.min.css" type="text/css" />
<link rel="stylesheet" href="../_static/styles.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '13',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="../_static/js/jquery-1.11.0.min.js"></script>
<script type="text/javascript" src="../_static/js/jquery-fix.js"></script>
<script type="text/javascript" src="../_static/bootstrap-3.1.0/js/bootstrap.min.js"></script>
<script type="text/javascript" src="../_static/bootstrap-sphinx.js"></script>
<link rel="top" title="Nextcloud 13 Administration Manual 13 documentation" href="../contents.html" />
<link rel="up" title="File workflows" href="index.html" />
<link rel="next" title="Automated tagging of files" href="automated_tagging.html" />
<link rel="prev" title="File workflows" href="index.html" />
<meta charset='utf-8'>
<meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'>
<meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'>
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="theme-color" content="#1d2d44">
</head>
<body role="document">
<div class="wrap container not-front">
<div class="content row">
<main class="main">
<div class="row">
<div class="col-md-3">
<div class="sidebar">
<h1>Nextcloud 13 Administration Manual</h1>
<div class="sidebar-search">
<form class="headersearch" action="../search.html" method="get">
<input type="text" value="" name="q" id="q" class="form-control" />
<button class="btn btn-default" type="submit" id="searchsubmit">Search</button>
</form>
</div>
<div class="menu-support-container">
<ul id="menu-support" class="menu">
<ul>
<li><a href="../contents.html">Table of Contents</a></li>
</ul>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="../release_notes.html">Release notes</a></li>
<li class="toctree-l1"><a class="reference internal" href="../installation/index.html">Installation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../configuration_server/index.html">Server configuration</a></li>
<li class="toctree-l1"><a class="reference internal" href="../configuration_user/index.html">User management</a></li>
<li class="toctree-l1"><a class="reference internal" href="../configuration_files/index.html">File sharing and management</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">File workflows</a><ul class="current">
<li class="toctree-l2 current"><a class="current reference internal" href="">Files access control</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#denied-access">Denied access</a></li>
<li class="toctree-l3"><a class="reference internal" href="#examples">Examples</a></li>
<li class="toctree-l3"><a class="reference internal" href="#denying-access-to-folders">Denying access to folders</a></li>
<li class="toctree-l3"><a class="reference internal" href="#prevent-uploading-of-specific-files">Prevent uploading of specific files</a></li>
<li class="toctree-l3"><a class="reference internal" href="#common-misconfigurations">Common misconfigurations</a></li>
<li class="toctree-l3"><a class="reference internal" href="#available-rules">Available rules</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="automated_tagging.html">Automated tagging of files</a></li>
<li class="toctree-l2"><a class="reference internal" href="retention.html">Retention of files</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../configuration_database/index.html">Database configuration</a></li>
<li class="toctree-l1"><a class="reference internal" href="../configuration_mimetypes/index.html">Mimetypes management</a></li>
<li class="toctree-l1"><a class="reference internal" href="../maintenance/index.html">Maintenance</a></li>
<li class="toctree-l1"><a class="reference internal" href="../issues/index.html">Issues and troubleshooting</a></li>
</ul>
</ul>
</div>
</div>
</div>
<div class="col-md-9">
<div class="page-content">
<ul class="prevnext-title list-unstyled list-inline">
<li class="prev">
<a href="index.html" title="Previous Chapter: File workflows"><span class="glyphicon glyphicon-chevron-left visible-sm"></span><span class="hidden-sm">« File workflows</span>
</a>
</li>
<li class="next">
<a href="automated_tagging.html" title="Next Chapter: Automated tagging of files"><span class="glyphicon glyphicon-chevron-right visible-sm"></span><span class="hidden-sm">Automated tagging of files »</span>
</a>
</li>
</ul>
<div class="section" id="files-access-control">
<h1>Files access control<a class="headerlink" href="#files-access-control" title="Permalink to this headline">¶</a></h1>
<p>Nextcloud’s File Access Control app enables administrators to create and
manage a set of rule groups. Each of the rule groups consists of one or more
rules. If all rules of a group hold true, the group matches the request and
access is being denied. The rules criteria range from IP address, to user
groups, collaborative tags and <a class="reference internal" href="#available-rules-label"><span>some more</span></a>.</p>
<div class="section" id="denied-access">
<h2>Denied access<a class="headerlink" href="#denied-access" title="Permalink to this headline">¶</a></h2>
<p>If access to a file has been denied for a user, the user can not:</p>
<ul class="simple">
<li>Create/upload the file</li>
<li>Modify the files</li>
<li>Delete the file</li>
<li>Download the file</li>
<li>Syncronise the file with clients, such as the Nextcloud desktop and mobile clients</li>
</ul>
</div>
<div class="section" id="examples">
<h2>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h2>
<p>After installing the File Access Control app as described in
<a class="reference internal" href="../installation/apps_management_installation.html"><em>Installing and managing apps</em></a>
navigate to the configuration and locate the File Access Control settings.</p>
<blockquote>
<div><div class="figure">
<img alt="Sample rules to block on user group, time and IP base." src="../_images/files_access_control_sample_rules.png" />
</div>
</div></blockquote>
<p>The first rule group <code class="docutils literal"><span class="pre">Support</span> <span class="pre">only</span> <span class="pre">9-5</span></code> denies any access to files for users
of the Support user group, between 5pm and 9am.</p>
<p>The second rule group <code class="docutils literal"><span class="pre">Internal</span> <span class="pre">testing</span></code> prevents users of the Internal
testers group to access files from outside of the local network.</p>
</div>
<div class="section" id="denying-access-to-folders">
<h2>Denying access to folders<a class="headerlink" href="#denying-access-to-folders" title="Permalink to this headline">¶</a></h2>
<p>The easiest way to block access to a folder, is to use a collaborative tag. As
mentioned in the <a class="reference internal" href="#available-rules-label"><span>Available rules</span></a> section below,
either the file itself or one of the parents needs to have the given tag
assigned.</p>
<p>So you just need to assign the tag to the folder or file, and then block the
tag with a rule group. The check is independent of the user’s permissions for
the tag. Therefor restricted and invisible tags are recommended, otherwise a
user could remove and reassign the tag.</p>
<p>This example blocks access to any folder with the tag <code class="docutils literal"><span class="pre">Confidential</span></code>.</p>
<blockquote>
<div><div class="figure">
<img alt="Deny access based on collaborative tag" src="../_images/files_access_control_collaborative_tags.png" />
</div>
</div></blockquote>
</div>
<div class="section" id="prevent-uploading-of-specific-files">
<h2>Prevent uploading of specific files<a class="headerlink" href="#prevent-uploading-of-specific-files" title="Permalink to this headline">¶</a></h2>
<p>It’s possible to prevent specific files from being uploaded to Nextcloud. You
simply need to define a rule based on the mimetype and our powerful access control
engine will block any attempt to upload the file. The safest way to define the rule
is to use a regular expression, as it will help you cover all the known media types
used for the type of file you’re trying to block.</p>
<p>The following example prevents zip files from being uploaded by using the regular
expression: <code class="docutils literal"><span class="pre">/^application\/(zip|x-zip-compressed)$/i</span></code></p>
<blockquote>
<div><div class="figure">
<img alt="Prevent upload based on mimetype" src="../_images/files_access_control_block_mimetype.png" />
</div>
</div></blockquote>
</div>
<div class="section" id="common-misconfigurations">
<h2>Common misconfigurations<a class="headerlink" href="#common-misconfigurations" title="Permalink to this headline">¶</a></h2>
<div class="section" id="blocking-user-groups">
<h3>Blocking user groups<a class="headerlink" href="#blocking-user-groups" title="Permalink to this headline">¶</a></h3>
<p>When trying to deny access to a group of users, make sure that sharing does not
allow them to create a way back in. When users are able to create a public link,
the users can log themselves out and visit their own public link to access the
files. Since at this point they are no user and therefor no member of the
blocked group, they will be able to read and change the file.</p>
<p>The recommended work around is to create the same rule again, and deny access
for all users that are <code class="docutils literal"><span class="pre">not</span> <span class="pre">member</span> <span class="pre">of</span></code> a group, that contains all users of
your installation.</p>
</div>
<div class="section" id="external-storage">
<h3>External storage<a class="headerlink" href="#external-storage" title="Permalink to this headline">¶</a></h3>
<p>While access to files in external storages is not possible via Nextcloud, users
that have direct access to the external storage, can of course change files
there directly. Therefor it is recommended to disable the <code class="docutils literal"><span class="pre">Allow</span> <span class="pre">users</span> <span class="pre">to</span> <span class="pre">mount</span>
<span class="pre">external</span> <span class="pre">storage</span></code> option, when trying to to completely lock out users.</p>
</div>
</div>
<div class="section" id="available-rules">
<span id="available-rules-label"></span><h2>Available rules<a class="headerlink" href="#available-rules" title="Permalink to this headline">¶</a></h2>
<p>All rules can also be inverted (from <code class="docutils literal"><span class="pre">is</span></code> to <code class="docutils literal"><span class="pre">is</span> <span class="pre">not</span></code>) using the operator
option.</p>
<ul>
<li><p class="first"><strong>File collaborative tag:</strong> Either the file itself, or any of the file
owner’s parent folders needs to be tagged with the tag.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">Tags used in access control rules should be restricted tags,
otherwise any user can remove the tag to access the file again.
The best way to do this is with the <a class="reference internal" href="automated_tagging.html"><em>Automated tagging of files</em></a>.</p>
</div>
</li>
<li><p class="first"><strong>File mimetype:</strong> The mimetype of the file, e.g. <code class="docutils literal"><span class="pre">text/plain</span></code></p>
</li>
<li><p class="first"><strong>File size:</strong> The size of the file (<em>Only available on upload</em>)</p>
</li>
<li><p class="first"><strong>Request remote address:</strong> An IP range (either v4 or v6) for the accessing user</p>
</li>
<li><p class="first"><strong>Request time:</strong> Time span and timezone when the request happens</p>
</li>
<li><p class="first"><strong>Request URL:</strong> The URL which requests the file. (<em>This is the URL the file
is served from, not the URL the user is currently looking at.</em>)</p>
</li>
<li><p class="first"><strong>Request user agent:</strong> The user agent of the users browser or client.
Nextcloud desktop, Android and iOS clients are available as preconfigured
options.</p>
</li>
<li><p class="first"><strong>User group membership:</strong> Whether the user is a member of the given group.</p>
</li>
</ul>
</div>
</div>
<ul class="prevnext-title list-unstyled list-inline">
<li class="prev">
<a href="index.html" title="Previous Chapter: File workflows"><span class="glyphicon glyphicon-chevron-left visible-sm"></span><span class="hidden-sm">« File workflows</span>
</a>
</li>
<li class="next">
<a href="automated_tagging.html" title="Next Chapter: Automated tagging of files"><span class="glyphicon glyphicon-chevron-right visible-sm"></span><span class="hidden-sm">Automated tagging of files »</span>
</a>
</li>
</ul>
</div>
</div>
</div>
</main>
</div>
</div>
</body>
</html>