Groups

For a very small number of users accessing a shared storage solution it may be a consideration to create individual user accounts however you should really consider starting out with a group template. Not only will this make adding more users in the future a speedier process but it will also offer consistency of access control and potentially shorten the time taken to administer the system. I say potentially as group templates for a small user base only really prove useful if there is some level of consistency between user requirements but if users requirements are radically different, and the number of users small, individual group accounts may be more appropriate.

Before we continue let us talk about priorities. It is possible, and likely, that users will be assigned to multiple groups so what would happen, for example, if a user is assigned to two groups which have permissions for the same folder but one group provides “Read/Write” access whereas the other group provides “No access”?

In this case we may wonder which group should take priority and which access control should be implemented.

Many security systems, including the Synology DSM, apply the general principle of least privilege so a general order for conflicting privileges may be “No Access” gets priority, then Read-only, Read/Write then Full Access so the amount of access starts at the minimum and increases as the least privilege priority falls. A least privilege principle, in this sense, helps to ensure the system is kept as secure as it can be.

Note: The Synology DSM uses the order “No Access”, “Read/Write”, then “Read Only”.