We use cookies to help us improve our webpage. Please read our Cookie Policy .

NAS 110

Introduction to Access Control

Learn how to use Access Control

2022-07-12

COURSE OBJECTIVES
Upon completion of this course you should be able to:
1. Create and manage users, groups, shared folders and privileges on an ASUSTOR NAS
2. How to set up and use Access Control

PREREQUISITES
Course Prerequisites:
None
Students are expected to have a working knowledge of:
None

OUTLINE
1. Introducing Access Control


1. Introducing Access Control

1.1 What is Access Control?
Access Control manages shared folder and app permissions for multiple users and groups on an ASUSTOR NAS. ASUSTOR NAS devices offer permission settings in the event multiple people use a NAS and information needs to be separated, such as when confidential information is stored. Rights and permissions can be customised based on a user’s needs.
1.2 What are the differences between admin rights and user rights?

The admin account and admin rights are the default setting when purchasing an ASUSTOR NAS, while user group accounts can only access certain folders and apps as designated by an administrator.

 

About Local Users

After initialisation, ADM automatically creates an admin account as well as a guest account. The default admin account can either be left as is or renamed and comes with full rights within the NAS while the guest account has restrictions and only is able to use SAMBA and AFP. Guest account cannot log into ADM and password cannot be changed.

About Local Groups
After initialisation, two user groups are automatically created, named Administrators and Users. Administrators is the default group. If a user is added to this group, they will possess a majority of the administrator access rights. Admin belongs to the Administrators group by default and cannot be removed from it.

2. Setting up Access Control

2.1. Local Users
Add, edit and remove local users here. Rights can also be assigned, edited and removed.

2.1.1 Adding a user and assigning rights
1. Add a new user by clicking Add.

2.Fill out user information

3.Select whether the user receives customized access rights or is an administrator. Selecting the first option will open options to assign rights.

4. Assign shared folder access rights here.

DA: Deny Access

RW: Read & Write

RO: Read Only

Priority of access rights: Deny Access > Read & Write > Read Only > No settings

5. Quotas can be set here. Btrfs volumes do not support quotas.

6. Assign app privileges as needed and user creation is now complete.

2.1.2. Editing user details and access rights
Highlight a user and click edit to edit user information.

 

Click Groups to modify a user’s group or assign a new one.

 

Click Folder Access Rights to modify rights.

DA: Deny Access

RW: Read & Write

RO: Read Only

Priority of access rights: Deny Access > Read & Write > Read Only > No settings


 

<div id="container-1268" font-size:14px;background-color:#ffffff;"="" style="white-space: normal; color: rgb(68, 68, 68);">
1 :  User access rights for shared folders
<div id="container-1271" font-size:14px;background-color:#ffffff;"="" style="white-space: normal; color: rgb(68, 68, 68);">
2 :  Group access rights for shared folders

Click quotas to modify quotas for the user.

2.2. Local Groups

Click Local Groups to add, modify and remove local groups.

Reminder: ASUSTOR recommends reserving groups for large numbers of users.

 

2.2.1 Adding local groups and assigning rights

1. Click Add to create a new local group.


 

2. Fill in the group name, a description and select a Group ID.


 

3. Select one or more users to join the new group.


 

4. Assign folder access rights for the group and review settings.


DA: Deny Access

RW: Read & Write

RO: Read Only

Priority of access rights: Deny Access > Read & Write > Read Only > No settings



 

 

2.2.2 Editing group information and modifying rights.

Edit group


Edit members


Edit Folder-Access Rights


DA: Deny Access (Deny Access for group to access folder)

RW: Read & Write (Group can Read & Write the folder)

RO: Read Only (Folder Read Only for the group)

Priority of access rights: Deny Access > Read & Write > Read Only > No settings

2.3 AD/LDAP

If you are using Windows Active Directory (hereafter referred to as "AD"), you can add your NAS to your AD domain.

Windows Active Directory: After successfully adding your NAS to an Active Directory domain, you can then configure access rights using domain users, domain groups and shared folders settings using the Access Control app. Active Directory users can then use their own Active Directory accounts to log in and access the NAS.

Lightweight Directory Access Protocol (LDAP): LDAP, also known as Lightweight Directory Access Protocol is mainly used for unified management of accounts and passwords. Using LDAP can more efficiently manage user authentication or computer resource permissions across the enterprise. Users can easily add an ASUSTOR NAS to their existing LDAP server, providing easier ways to help manage productivity.


Reminder: ASUSTOR NAS can support more than 200,000 AD users and groups. When joining an AD domain for the first time, depending on the number of users and groups, it may take a while for all of them to become visible.

More
NAS 206 - Using NAS with Windows Active Directory


2.4. Shared Folders

Here you can manage your shared folders and set up their access rights in relation to users and user groups. Shared folders allow your NAS to become a file server. They are fundamental in sharing files with the outside world. Consequently, correctly setting up their access rights is very important in the management of your data.

After initialization, the system will automatically create a shared folder "public". By default, all users can access the files in this folder. Additionally, the system will automatically create a personal folder for each user (using the user's account name) that by default, can only be accessed by the mentioned user.

Home folder is only for the current logged in user use which is invisible to other NAS users and only the current logged in user has the read/write right.


2.4.1 How to add shared folders and set up the access rights?

1. Add

2. Fill out the information

Note: Here are three optional options for user to choose.

  • Invisible in "Network" or "My Network Places": This setting only applies if you are using Microsoft Windows. When you enable this setting, your NAS will cease to automatically appear in "Network" or in "My Network Places". Please note that enabling this setting will not affect the connection to your NAS in any way.
  • Empty Recycle Bin: Click this button to empty all contents in this shared folder’s Recycle Bin immediately.
  • ·         Encrypt this shared folder: Here you can choose whether or not you want to encrypt your shared folder and whether or not you want to auto-mount it at system startup. Should you choose to encrypt your folder, after the system restarts, you will have to manually enter the password or import the encryption key for the folder in order to access it. Encrypted folders are normally used for the storage of critical or confidential data. Should you lose your NAS you still needn’t worry about your data leaking out and falling into the wrong hands.

Warning:

When choosing to use encrypted shared folders, please make it a point to remember your password. Should you forget your password, the data in the shared folder will become unrecoverable.

3.  Set up folder access rights

“Read Only for all the users, Read & Write for administrators “is the default option.

Press Next to confirm the information.

Other two options: By user and By group

By user

Select user

DA: Deny Access (Deny Access for user to access the shared folder)

RW: Read & Write (User can Read & Write the shared folder)

RO: Read Only (Shared folder Read Only for the user)

Priority of access rights: Deny Access > Read & Write > Read Only > No settings

Finish

By group

Set up group access rights to the shared folderDA: Deny Access (Deny Access for group to access shared folder)

RW: Read & Write (Group can Read & Write the shared folder)

RO: Read Only (Shared folder Read Only for the group)

Priority of access rights: Deny Access > Read & Write > Read Only > No settings

Finish


Note:

About Windows ACL

1. After enabling Windows ACL for a shared folder, the shared folder and all subfolders and files contained within it can be assigned user or group permissions.

2. The following shared folders do not support Windows ACL permissions: Home, User Homes, PhotoGallery, Web, Surveillance, MyArchive, Network Recycle Bin, virtual devices, external devices (USB hard drives, optical drives).

3. After enabling Windows ACL you will be able to use ADM’s File Explorer or Microsoft Windows Explorer to configure permissions. After disabling Windows ACL you will only be able to configure permissions from within ADM's File Explorer.

4. If you enable Windows ACL and then later decide to disable it, all file and folders will be re-assigned with Read & Write permissions for all users.

5. No matter if you are using Windows ACL or not, users will still require shared folder and file permissions in order to access files.

More

NAS 471 - Introduction to Windows ACL


2.4.2 How to edit shared folder and the access rights?

Select the shared folder and press edit

Edit

Adjust access rights

Select the shared folders and press Access Rights

Adjust Access rights (For convenience, the system provides a preview mode which allows you to first preview any changes that you make to access rights.)

DA: Deny Access (Deny access for the user to access folder)

RW: Read & Write (User can Read & Write the folder)

RO: Read Only (Folder Read Only for the user)

Priority of access rights: Deny Access > Read & Write > Read Only > No settings

<div id="container-1268" font-size:14px;background-color:#ffffff;"="" style="white-space: normal; color: rgb(68, 68, 68);">
1 :  User access rights for shared folders
<div id="container-1271" font-size:14px;background-color:#ffffff;"="" style="white-space: normal; color: rgb(68, 68, 68);">
2 :  Group access rights for shared folders

2.4.3 Virtual Drive

You can mount an ISO image file (.iso file) as a virtual drive and directly browse the content of the ISO image file. ADM’s virtual drive function also provides simplified access control settings allowing you to either configure access for all users or limit access to only administrators.

2.4.4 CIFS Folder

Here, you can mount remote folders as shared CIFS folders and configure their usage permissions according to users or user groups.

More

NAS 344 - How to create CIFS folders


2.5. App Privileges

Here you can configure the users' or user groups' access rights to apps. For example, if a particular user's account is denied access to the Surveillance Center app, once he/she logs in, he/she will not be able to see the Surveillance Center app icon on their ADM home screen. The user will have no way of opening or accessing the app.


Web applications may be public in nature (i.e., WordPress) or have their own account management systems (i.e., Joomla). Therefore, there is no way to restrict access to them through ADM.

With regards to domain users, the system only offers the option of setting their File Explorer access rights.

Note: Privilege settings are only for non-[administrators] group users.

2.5.1 How to edit App Privileges?

Select the app and press Edit

Select user

2.5.2 How to edit user access rights?

Select user and press Edit

Select app

 


Was this article helpful? Yes / No