Learn how to use Windows ACL to manage data access permissions on your ASUSTOR NAS

COURSE OBJECTIVES

Upon completion of this course you should be able to:

1. Understand the basic principles of using Windows ACL with your ASUSTOR NAS.
2. Use Windows ACL to manage data access permissions on your ASUSTOR NAS.

PREREQUISITES

Course Prerequisites:

NAS 106: Using NAS with Microsoft Windows

Students are expected to have a working knowledge of:

Shared Folders, Access Control

OUTLINE

1. Introduction to Windows ACL

1.1 Do I need to enable Windows ACL?

2. Configuring Windows ACL

2.1 Enabling Windows ACL

2.2 Configuring Windows ACL permissions with ADM File Explorer

2.3 Configuring Windows ACL permissions with Windows Explorer

2.4 Windows ACL permission rules and precautions

2.5 Moving objects to your NAS while maintaining ACL permissions

1. Introduction to Windows ACL

Windows ACL is the 13 different types of file permissions designed by Microsoft for NTFS file systems which can be applied to specific users and groups. Within this type of infrastructure, administrators can make more detailed and precise access permission configurations.

Furthermore, in the Windows AD domain infrastructure (widely used by businesses), Windows ACL permissions can be applied to all users and groups in the domain. Users can use any computer in the network to log in, and as long as they use the same account name, all permissions will remain the same. IT staff will not need to configure permissions for each individual server and PC workstation, significantly increasing management efficiency.

In order to more closely integrate ASUSTOR NAS with AD domains, simplifying IT management and increasing productivity, ASUSTOR has deeply integrated the Windows ACL permissions system with ADM, providing the following unique features:

1. The ability to enable Windows ACL for individual shared folders.
2. Comprehensive support for all 13 types of Windows ACL permissions.
3. Ability to view Windows ACL effective permissions in detail from within ADM.
4. Support for network users and groups.
5. Ability to apply ACL permissions to Samba, File Explorer, AFP, FTP, WebDAV, Rsync file transfer protocols.

1.1 Do I need to enable Windows ACL?

As described in the previous section, Windows ACL provides up to 13 different permission settings that can be applied to all users and groups on the NAS and on the domain (if the NAS has been added to a Windows AD domain). In the event of improper planning or configuration of permissions, there is the possibility that all users will not be able to access a certain folder or file. Obviously, this type of error can be resolved by using an administrator account, but the amount of wasted time from when the problem first occurs to when it gets resolved can be seen as a significant intangible cost to businesses.

ASUSTOR NAS was developed based on the Linux operating system, so ADM’s native settings utilize the Linux permission management mechanism:

• Applicable permissions: RW (Read & Write), RO (Read Only), DA (Deny Access)
• Permissions may be applied to: “Owner”, the group that the owner is a part of and “Other”.

The smaller number of options allows for simpler configuration. However, the flexibility and adjustability of the permissions is very limited. For example, when using the Linux permissions mechanism, it is not possible to give a user the ability to edit a file while not giving them permission to delete the file.

If you are only using your NAS between yourself and a limited number of family and friends, then it is recommended that you use ADM’s original permissions management mechanism. However, if your NAS is being used for business data storage, it is suggested you first consult with your IT staff to decide if it is appropriate to enable Windows ACL permissions and then complete a permissions deployment plan should you decide to use it.

We have provided the flexibility for you to enable or disable Windows ACL for single shared folders, which is very helpful for assessment and planning. You can create a shared folder for testing, enable Windows ACL and then configure permissions settings. Afterwards you can check if the results are what you expected them to be. Once you get the results that you require you can then apply the settings to the shared folder of your choice. This allows you to avoid any mistakes or errors in planning that could deny access to important data, affecting the operation of your business.

2. Configuring Windows ACL

2.1 Enabling Windows ACL

Creating a new shared folder:

• Log into your ADM with an administrator account using your web browser.
• Select Shared Folders inside Access Control.
• Click Add.

• Enter a name for the new folder and then click [Next].

• After setting the access rights for the shared folder, select [Enable Windows ACL] and then click [Next].

  Note: Shared folder access rights are the first layer of permissions checking. If a user or group has not been assigned “Read & Write” permissions here, any Windows ACL permissions assigned to them will be blocked. Therefore, it is recommended that you configure more lenient access rights for shared folders that have Windows ACL enabled and then use Windows ACL to further configure more specific permissions later.

• Select [Skip] and then click [Next].

• Confirm your settings and then click [Finish].

Enabling Windows ACL for already existing shared folders:

• Select Shared Folders inside Access Control.
• Select the shared folder that you wish to enable Windows ACL for, and then click [Edit].

• Select [Windows ACL].
• Select [Enable Windows ACL] and then click [Close].

2.2 Configuring Windows ACL permissions with ADM File Explorer

• From the ADM desktop, select [File Explorer].
• Select a shared folder (or subfolder or file) that you have enabled Windows ACL for. Right-click on the shared folder and then select [Properties].

• Select the [Permission] tab. Here you will be able to see the currently configured permissions for the folder. You can also manage permissions for the folder here.

After enabling windows ACL for a shared folder, the system by default will assign "Read & Write, but cannot Delete" permissions to "Everyone", "administrators" and the "admin" account. These permissions will be applied to the shared folder only and will not be inherited by objects below. These default permissions can be modified by using the [Edit] or [Remove] buttons.

Note: An individual file or folder can utilize up to a maximum of 250 Windows ACL permissions (including inherited permissions).

• Include inheritable permissions from this object’s parent:
  This option is enabled by default. The system will automatically configure sub folders and files to inherit permissions from the object above it. Disabling this option will reject all inheritable permissions and only keep newly added permissions.
• Replace all child object permissions with inheritable permissions from this object:
  Enabling this option will replace all subfolder and file permissions with ones from the parent object.

The management functions that you will be able to use here are as follows:

Add:

• Click on the [Add] button to create a new permission for the object.

• User or group:
  Specify the user or group you want to apply the permission to.

• Type:
  Select [Allow] or [Deny] to grant or deny the permission to the user or group.
• Apply To:
  This option will only appear when adding permissions to a folder. From the drop down menu, you can select where the permission will be applied. The way in which the permission will be applied will be determined by whether or not you select the [Apply these permissions to objects and/or containers within the container only] checkbox.
• Apply these permissions to objects and/or containers within the container only:
  • When the option is unchecked:

    Apply To	Apply permission to current folder	Apply permission to subfolders within the current folder	Apply permission to files within the current folder	Apply permission to all subsequent subfolders	Apply permission to files within all subsequent sub folders
    This folder only
    This folder, subfolders and files
    This folder and subfolders
    This folder and files
    Subfolders and files only
    Subfolders only
    Files only

  • When the option is checked:

    Apply To	Apply permission to current folder	Apply permission to subfolders within the current folder	Apply permission to files within the current folder	Apply permission to all subsequent subfolders	Apply permission to files within all subsequent sub folders
    This folder only
    This folder, subfolders and files
    This folder and subfolders
    This folder and files
    Subfolders and files only
    Subfolders only
    Files only

Edit:

• Selecting a permission and then clicking on the [Edit] button will allow you to modify the permission.

Remove:

• Selecting a permission and then clicking on [Remove] will remove the permission from the current object.

Effective Permissions:

• Clicking on the [Effective Permissions] button and then selecting a user from the list will allow you to view the user’s effective permissions with regards to the specified folder or file. Effective permissions are determined from the combination of Windows ACL permissions and shared folder access rights.

2.3 Configuring Windows ACL permissions with Windows Explorer

First, use a Windows administrator account to map a Windows ACL enabled shared folder as a network drive. For more information, please see NAS 106: Using NAS with Microsoft Windows.

• Right-click on any file or subfolder within the shared folder and then select [Properties].

• Select the [Security] tab. Here, you will be able to see a list of users and groups and their ACL permissions for the file or subfolder.

If an object simultaneously has inherited permissions from its parent and also explicit permissions, the inherited permissions will be checked in grey while the explicit permissions will be checked in black.

• Click on [Edit] [Add].

• In the [From this location:] field you should see the following information:
  • If the NAS has been added to a Windows AD domain you will see the AD domain name.
  • If the NAS has not been added to a Windows AD domain, you will see the NAS’s IP address.

• In the [Enter the object names to select] field, enter the following information:
  • If the NAS has been added to a Windows AD domain, enter the domain user or group name and then click on [Check Names] in order to verify the user/group name. Then, click on [OK].
  • If the NAS has not been added to a Windows AD domain, enter the ADM local user or group name and then click on [Check Name] in order to verify the user/group name. Then, click on [OK].

• Now, you should be able to see the newly added user or group in [Group or user names:] list. Select the user or group and then use the [Allow] and [Deny] checkboxes to configure their access permissions for the object. Once you are done, click on [Apply].

2.4 Windows ACL permission rules and precautions

ACL Conflicting ACL permissions:

• If you encounter conflicting Windows ACL permissions, the object’s explicit permissions will be given priority. For example, if the user "testuser" inherits [Allow Read & Execute] permissions for a file but the given explicit permissions for the file are [Deny Read & Execute], then "testuser" will not be able to access the file.
• Conversely, if "testuser" inherits [Deny Read] permissions but the explicit permission given to the file are [Allow Read], then "testuser" will be able to access the file.

Rules for moving files and folders:

Exceptions: When data is deleted from an ACL enabled shared folder and moved to the Network Recycle Bin the rules from "B3" in the chart above will not apply. This is to prevent the situation where files with [Deny Access] permissions are deleted and moved to the Network Recycle Bin and then become fully accessible to all users. Taking privacy and security into consideration, files from ACL enabled folders that are moved to the Network Recycle Bin will be assigned the permission [Read & Write for Owners, Deny Access for all Other Users].

File deletion permissions:

There are 2 permissions associated with deleting files:

1. User has explicit "Delete" permission for the file.
2. User has "Delete subfolders and files" permission for the file's parent folder.

If any of the above permissions are configured as "Deny", then the user will not be able to delete the file. Only if neither of the above permissions has been configured as "Deny" and at least one of them has been configured as "Allow", will the user be able to delete the file.

Access Right of objects:

After Windows ACL has been enabled for a shared folder, each object (subfolders and files) contained within the folder will have an access right.

• You can view access right for an object by selecting it from ADM File Explorer, right-clicking on it and then selecting [Properties]. There will be editing link in the [Share Folder Access Rights] section of the [General] tab.

Person who have access right will be able to configure ACL permissions for it. For example, the admin in the graphic above, is the owner of the "ACL_Test" folder. Therefore, admin will be able to configure ACL permissions for the folder and the subfolder and files contained within it.
For every newly added object, the creator of the object will be set as the access rights by default. Additionally, users in the administrator group will have the ability to modify the access rights. For example, if we wanted to transfer ownership of the "ACL_Test" folder in the graphic above to other users (i.e., testuser), admin and all users in the administrator group would have the ability to transfer ownership. Once testuser becomes an owner of the "ACL_Test" folder, she will be able to reconfigure permissions for its subfolders and files even if she did not originally have access permissions for them.

2.5 Moving objects to your NAS while maintaining ACL permissions

When all Windows PCs and NAS devices in a network environment have been added to the same Windows AD domain, all user accounts and permissions on the domain can be combined together. However, when moving files or folders from a PC server to a NAS, existing ACL permissions will not be retained (using the rules in previous section). This causes IT staff to have to reconfigure permissions.

If you wish to maintain existing ACL permissions when moving files or folders to your NAS, you can utilize Fastcopy, a 3rd party software. In the example below, we will demonstrate how to use this Fastcopy.

• First, use a Windows administrator account to map a Windows ACL enabled shared folder as a network drive. For more information, please see NAS 106: Using NAS with Microsoft Windows.

• Open Fastcopy.
• [Source]: Specify the source folder here.
• [DestDir]: Specify the destination folder here. (the network drive mapped in previous step)
• Select the [ACL] checkbox to ensure that Fastcopy will retain the original ACL permissions of your files when moving them.
• Click on [Execute] to begin moving the folder.

• After the folder has been moved successfully, all data moved to the destination will have retained their ACL permissions from the source (including all explicit and inherited permissions). This data will not inherit any permissions from the parent object at the source.