Permissions

[McNinjaTNT]

Hello, I'm trying to set a dataset so that the group that owns it can modify and see all files, as well as the user that owns it. My problem is the user "admin" can't see or edit the files created by the user within the owner group. I have a group "v" with the user "v" in it, user "v" can edit and read any files made by user "admin", however the reverse is not the case. I've included some important screenshots.
My end goal is to make it so user "admin" has full control over all datasets (As well as SMB support), but user "v" only has access to the one dataset.
Also if someone could explain inheritance to me that would help, not sure if it has anything to do with this. Any help is much appreciated!

 

[Basil Hendroff]

You have a couple of options here:

1. Add admin to the group v.
2. Add a separate ACE for admin to the dataset.

Both have their use cases though, from a transparency perspective, I prefer the latter approach.

Add admin to group

Here's an example where admin has been added to a few auxiliary groups.

Add an ACE for admin

In this example, I've added the admins group to a dataset.

What does it look like from Windows?

Also if someone could explain inheritance to me that would help, not sure if it has anything to do with this.

Yes, you will need to apply permissions recursively to an existing dataset when adding admin through the TrueNAS UI. This is equivalent action in Windows:

Inheritence means that new objects (files and directories) get their permissions from the parent object.

 

[McNinjaTNT]

You have a couple of options here:

1. Add admin to the group v.
2. Add a separate ACE for admin to the dataset.

Both have their use cases though, from a transparency perspective, I prefer the latter approach.

Add admin to group

Here's an example where admin has been added to a few auxiliary groups.

View attachment 49697

Add an ACE for admin

In this example, I've added the admins group to a dataset.

View attachment 49698

What does it look like from Windows?

View attachment 49699



Yes, you will need to apply permissions recursively to an existing dataset when adding admin through the TrueNAS UI. This is equivalent action in Windows:

View attachment 49700

Thank you! I'll probably go with the second approach.
I still don't understand why exactly it doesn't work as is though. Wouldn't adding a new ACL perm for the admin user or admins group do the same as allowing owner@ full perms, which I would think should allow owner@ (admin) to edit all files including those made by "v"?

 

[Basil Hendroff]

Wouldn't adding a new ACL perm for the admin user or admins group do the same as allowing owner@ full perms, which I would think should allow owner@ (admin) to edit all files including those made by "v"?

Let's say the owner of a dataset is bob. You need to explicitly allow admin access to the dataset that bob owns.

 

[McNinjaTNT]

Let's say the owner of a dataset is bob. You need to explicitly allow admin access to the dataset that bob owns.

But... admin is the owner of the dataset, and owner@ (Thus by extension, admin) has ACL permissions with full control. Admin can connect to the dataset as well as create and modify data, HOWEVER, admin cannot see, modify, or delete files within said dataset that were made by "v", but "v" can see, modify, and delete any files made by "admin". I included a screenshot with admin being the owner and owner@ having full control perms.

 

[Basil Hendroff]

Admin can connect to the dataset as well as create and modify data, HOWEVER, admin cannot see, modify, or delete files within said dataset that were made by "v", but "v" can see, modify, and delete any files made by "admin".

You have a couple of options here. The simplest solution here is to add admin to the group v.

Personally, I find a more logical approach is to make sure the CREATOR USER and CREATOR GROUP belong to the user. If you accept the defaults when creating an account, a new primary group is created for the user.

Here's an adjusted example that shows how this might work for user admin (like sachika) and group v (like admins).

 

[McNinjaTNT]

You have a couple of options here. The simplest solution here is to add admin to the group v.

Personally, I find a more logical approach is to make sure the CREATOR USER and CREATOR GROUP belong to the user. If you accept the defaults when creating an account, a new primary group is created for the user.

View attachment 49701

Here's an adjusted example that shows how this might work for user admin (like sachika) and group v (like admins).

View attachment 49702

Works great with adding a second ACL item for User: admin with full control, still confused why having admin as the owner user with full control and v as owner group doesn't let admin see v's files, but doesn't matter Ig.
Thank you so much!