These articles tell you how to configure the access settings but do not tell you what they relate to in the Windows world.
The File Access permissions seem to match up with the NTFS permissions on the shared folder in Windows but the Network Access permissions do not seem to have any discrenable equivalent.
The closest local equivalent to network access is folder access (where network share = local folder). There is no true equivalent, as they are only applicable to a network. Unlike folder access, you cannot get around it by knowing the name of a file or folder contained therein and manually typing it in if the permissions on that file or folder don't also block you.
The big difference is that file access affects what permissions are given to the file when it is created. If you change those for a share, it does not automatically change them for every file and folder therein at the time of the change (though there is an option to do so in the GUI). File permissions can also be changed through a right-click in Windows, while network permissions cannot. In a multi-user environment, that can be important.
@StephenB recommends you only use the network permissions. I typically used both, and had a couple of instances where something (I have no idea if it was the NAS or Windows) changed the file permissions, locking me out of some tiles until I reset permissions via the GUI. So, I now understand his reasoning.
To clarify; we are creating SMB shares on the ReadyNAS and accessing them via Windows. We cannot access these shares in Windows without the relevant user/group being present in the ReadyNAS Network Access list, however, as the NTFS permissions seem to match the ReadyNAS File Access list it seems we must use both.
The folder 'owner' listed in the Windows-side root share, seem to equate to the ReadyNAS Folder Owner in the File Access list but I do not seem to be able to find any equivalent for the ReadyNAS Folder Group on the Windows side, so am unsure of how this affects the overall permissions schema.
Should I set the SMB share Network Access list to "Everyone-Read/Write" and manage the permissions via the ReadyNAS File Access list or the permissions on the Windows-side NTFS Security list? Is this what StephenB means?
Should I set the SMB share Network Access list to "Everyone-Read/Write" and manage the permissions via the ReadyNAS File Access list or the permissions on the Windows-side NTFS Security list? Is this what StephenB means?
Actually the reverse. I suggest setting the file access settings on the NAS share to "Eveyone-Read/Write", and control access only with the network access list.
@StephenBThanks for your reply, I have one question then:
As Windows NTFS permissions seem to mirror the ReadyNAS File Access permissions, how do I manage the NTFS side of things if it's set to Everyone-Read/Write? Should I disable inheritence on the Windows side to "unlink" the two sets of permissions?
As Windows NTFS permissions seem to mirror the ReadyNAS File Access permissions, how do I manage the NTFS side of things if it's set to Everyone-Read/Write? Should I disable inheritence on the Windows side to "unlink" the two sets of permissions?
I don't disable inheritance myself - I suspect it could result in more people accidently losing access to subfolders and files.
The net here is that you can't manage file permissions for users who have write network access to the share, since you can't prevent them from changing the file permissions. And if someone has only read network access or (or is denied access) you don't need to manage file permissions.
The potential downside of my approach is that it only controls access to the full share - if you want to control access differently for various folders within the share, you would need to use file permissions to do that. Though I think it's easy enough to divide the share into two.
The net here is that you can't manage file permissions for users who have write network access to the share, since you can't prevent them from changing the file permissions. And if someone has only read network access or (or is denied access) you don't need to manage file permissions.
We do need to manage permissions on sub-folders within a share as there are many different project groups and contractors, etc. so we would need to use the File Access/NTFS permissions.
I don't disable inheritance myself - I suspect it could result in more people accidently losing access to subfolders and fil
I mean only disable the inheritance at the root of the share on the Windows side, so I can make changes to NTFS permissions without them being mirrored on the ReadyNAS File Access list as happens when inheritance is enabled.
@DCA-IT wrote: We do need to manage permissions on sub-folders within a share as there are many different project groups and contractors, etc. so we would need to use the File Access/NTFS permissions.
Often trying to do that doesn't work well - so I do suggest managing access at the share level whenever you can.
BTW, you'll need to avoid using the "reset" control on the file access tab, as that will undo your setup.
