How can I manage ACL settings on my Synology NAS?

How can I manage ACL settings on my Synology NAS?

Purpose

Access Control List (ACL) is a list of access control entries (ACE) attached to an object (such as a file, folder, or program) in the Windows environment. Each entry determines a user or group's access permissions to the object. This article explains how you can configure and customize access permission rules using ACL at shared folder level or individual file or subfolder level.

Environment

Make sure your Synology NAS is running DSM 5.0 or later. Starting from DSM 5.0, the access permissions of shared folders are based on Windows ACL by default. Newly created shared folders implement the permission settings of Windows ACL, which also allows for customizing the permissions of individual files and subfolders. Permissions can also be customized via File Station or File Explorer in Windows.

Notes:

  • Take extra precaution when editing the permissions of your homes folder because this folder includes users' personal home folders. If you set No access permission for a user/group on homes, such user/group loses access to their personal home or photo/web folder.
  • When editing permissions for web or personal web/photo folders, the http group must have read or read/write permissions, otherwise webpage services will be affected.

Resolution

Manage basic permissions of shared folders

  1. Go to Control Panel > Shared Folder.
  2. Select the shared folder you wish to edit and click Edit.
  3. Go to the Permissions tab.
  4. Select the type of user (System internal user, Local users, or Local groups) from the drop-down menu.1
  5. Select or deselect the appropriate boxes (No access, Read/Write, Read only) for each user or group to customize their access permissions.1
  6. Click Save (for DSM 7.0 and above) or OK (for DSM 6.2 and earlier).1 2

Customize Windows ACL permissions3

  1. On the Permissions tab, select the Custom checkbox for the user whose permissions you wish to customize.
  2. In the Permission Editor window, modify the settings to manage ACL permissions for the file or folder.4 5
  3. Click Done (for DSM 7.0 and above) or OK (for DSM 6.2 and earlier).

Use Permission Inspector to check your permission settings for a file or folder6

You can view a user or group's access privileges to a file or folder using Permission Inspector. To do so, follow the steps below:

  1. Launch File Station.
  2. Select the folder or file whose permission you wish to check or view.
  3. Click on the Action drop-down menu and select Properties.
  4. Go to the Permission tab, click the Advanced options drop-down menu, and select Permission Inspector.
  5. Select the user or group whose access privileges you wish to view.
  6. View the user or group's Admin, Read, and Write permissions in the field below.

Give admin rights to a user

If you wish to give a user the same rights as the default admin account, you can do so by adding the user to the system administrators group. There's no limit to the number of users you can add to this group.

  1. Go to Control Panel > User & Group > Users (for DSM 7.0 and above) or User (for DSM 6.2 and earlier), select a user, and click Edit.
  2. Go to the User Groups tab.
  3. In the administrators row, select Add.
  4. Click Save (for DSM 7.0 and above) or OK (for DSM 6.2 and earlier).

Set permissions for anonymous users to access your file directories via FTP

You can change the ACL settings of a shared folder so that anonymous parties have permission to upload files via FTP, while their permissions to read, delete, or overwrite existing files are restricted.

  1. Go to Control Panel > Shared Folder, select a folder, and click Edit.
  2. Go to the Permissions tab and select System internal user from the drop-down menu.
  3. In the Anonymous FTP/Presto/WebDAV row, select Custom.
  4. In the Permission Editor pop-up window:
    • Under Read, select Traverse folders/Execute files.
    • Under Write, select Create files/Write data and Create folders/Append data.
  5. In Control Panel > Shared Folder, select the shared folder used by FTP and click Edit. Go to Advanced Permissions > Advanced Settings and select Disable modification of existing files.

Refine settings for users that belong to a group

There may be situations where you wish to further refine the permission settings of a user in relation to a file or folder. For demonstration purposes, we use the following:

  • User group: Sales
  • User: John, who belongs to the Sales group and is in charge of the datacenter project
  • Shared folder: Data
  • Sub-folder: datacenter, which is contained within Data

To grant everyone on the Sales team permission to access but not change, add, or overwrite anything in the Data folder:

  1. Launch File Station. Right-click on Data and select Properties.
  2. Go to the Permission tab and click Create.
  3. In the Permission Editor window, select Sales from the User or group drop-down menu.
  4. Select Read and click OK.
  5. Select Apply to this folder, sub-folders and files and click OK.

To grant read/write permission to datacenter to only John:

  1. Right-click on datacenter and select Properties.
  2. Go to the Permission tab and click Create.
  3. In the Permission Editor window, select John from the User or group drop-down menu.
  4. Select Read and Write, and click OK.
  5. Select Apply to this folder, sub-folders and files and click OK.

Disable default admin account access to a shared folder

If you wish to prohibit the admin account from accessing certain shared folders, follow these steps:

  1. Go to Control Panel > Shared Folder. Select the folder and click Edit.
  2. Go to the Permissions tab, select No access for admin, and click OK.

If your Synology NAS is running DSM 7.0 or above, you can further hide shared folders from users who do not have permissions. This means users who log in as admin will not see your shared folders via SMB. To do so, follow these steps:

  1. Go to Control Panel > File Services > SMB.
  2. Select Hide shared folders from users without permission.

Notes:

  1. A user may have specific permissions that conflict with the permissions assigned to the group they belong to. In this situation, the permissions are determined by permission level in the following order: No access (NA) > Read/Write (RW) > Read only (RO). For more details, refer to the "edit permissions" section in this article.
  2. When creating a new shared folder, if the permissions for the users belonging to administrators group are set to No access, these user will only be able to see the shared folder at Control Panel > Shared Folder.
  3. The following shared folders cannot use the Windows ACL permission management system: photo, satashare, sdshare, surveillance, and usbshare.
  4. For detailed explanation of each of the options in the Permission Editor window, please refer to "customize permissions" section in this article.
  5. ACL permissions can be inherited from parent objects to child objects. For instance, if the Read permission for a folder is granted to a user, then the ACL entry will be applied to all files within that particular folder, meaning that the user will have access to all the files within it. Inherited permissions will be displayed in gray, whereas the object's own permissions (or explicit permissions) will be displayed in black.
  6. For detailed explanations of ACL permissions found in Permission Editor and Permission Inspector, refer to the "ACL permissions" section in this article.
Purpose
Environment
Contents
Resolution
Manage basic permissions of shared folders
Customize Windows ACL permissions3
Use Permission Inspector to check your permission settings for a file or folder6
Give admin rights to a user
Set permissions for anonymous users to access your file directories via FTP
Refine settings for users that belong to a group
Disable default admin account access to a shared folder