Group Access

I have just bought the My Cloud EX2 for my office and have been at my wit’s end with this machine. I’m trying to set up groups and give/deny them access to certain shares. To my surprise, individual user settings trump group settings, rendering them obsolete. For example, if I allow access to folder A for user 1, and put that user into a group and deny access to folder A for that group, user 1 still has access to the folder.

My question is, how can I use the group settings? If I have to set the rights for each and every user with every new share, why is there a group option?

Thank you.


Upon further investigation, I have come to the conclusion that when I use the WD My Cloud app, my access rights are my user rights (not group rights) and when I use Windows Explorer to browse the EX2, it’s very confusing:

User: deny access + Group: read only = no access 

User: read/write + Group: read only = read only

User: read/write + Group: deny access = read only

User: read only + group: deny access = read only

Other combinations most likely will result in read only.

Even more confusing, every folder (including the no access ones AND deleted ones) appears in Windows Explorer. They are not there in the My Cloud app. 

Hello,

I have not tried this but lets see if any other user can comment on this subject. You can also contact support directly in order to get assistance with this.

Contact WD

Hi,

I’m trying to use groups too and I experiences the sames problems. WD please fix it for us !

I have not used group permissions on my EX2, but based on what you posted, I can tell you from experience that in most operating systems and applications that employ both a user permission and group permission scheme, user permissions typically supersede group permissions in the permission hierarchy.  What I don’t know is if the EX2 security is cumulative, meaning, group permissions are “merged” with user permission but giving priority to the user permissions, or if group permissions are simply ignored when a user has any user permissions set.

And if you want to really blow your mind, what if you created multiple security groups with different (conflicting) permissions and you made a user a member of all those groups… which set of group permissions do you think will apply. My point is you have only scratched the surface of what a professional IT managers deal with when configuring folder sharing across a network. You have opened Pandora’s Box if you want to use group permissions, user permissions, and inject users, with individual user permissions, into a group.

So I suggest this … do not setup user permissions first, setup all your group permissions first and add people to those groups.  Assuming the EX2 security system is cumulative, which I can’t confirm, then if you want to tweak permissions for a particular user, who is a member of a group, configure ONLY those permission for that user you want to be different from the group. If it’s not cumulative, you may want to consider creating multiple groups and just forgo user permissions.

I think the issue is mostly technique, not if the EX2 security system is broken.  Welcome to the **bleep** of being an IT manager :slight_smile:

Just the same thing here. I think it’s a matter of firmware update. WD could give us a word about it.

Yes. I iam quite a sysadmin with active directory etc… and it would be logic that group feature work the same way… Currently, as it is working, it’s useless. Please WD, do something about it :slight_smile:

Hi there,

seems that this wheird group behavior is still not gone in 2.10.310.

I want to give all users read-only-access to some shares and created a group called “Read”, set read-only access for the group and added the users to the group. User access rights are set to “deny access”. This results in the users are not allowed to access the shares.
The resulting smb.conf looks a bit strange:


read list = “@Folder_Read”,"@Read"
write list = “admin”
invalid users = “nobody”,“wd”,"@Folder_Read",“susan”,“martina”,“angelika”,“rene”
valid users = “@Folder_Read”,"@Read",“admin”

My thoughts to this snippet:

  • group “Folder_Read” has been created earlier but does not exist anymore. smb.conf seems not to be correctly cleaned up when a group is deleted
  • users “susan”, “martina”, “angelika” and “rene” are members of the group “read”
  • my unterstanding of the smb.conf is, that the line “invalid users” causes the trouble with groups, this line should not enlist users that have rights through a group

After having a look at the “share access” section in the webgui, i assume the MyCloud just misses a setting “not configured” for user and group share access.
“deny access” means exactly this for the selected user, but there is no option to say “not configured” for the user, because he/she is member of a group where it is configured.

Can anyone confirm this behavior and my assumptions.
I will file a wd support request for this afterwards.

kind regards
guzzisti

Hi again,

i had a deeper look in the smb.conf for some other shares and found more issues with cleaning up the config when a group is deleted. from my point of view a group should not be in valid and invalid users at the same time, especially when the group has already been deleted …

write list = “admin”,“rene”
invalid users = “nobody”,“wd”,"@Folder_Read","@Read"
valid users = “@Folder_Read”,“angelika”,“martina”,“susan”,“admin”,“rene”

…nor is it useful to enlist a group more then once in a section…

invalid users = “nobody”,“admin”,"@Folder_Read",“wd”,“rene”,“martina”,"@Folder_Read",“susan”,"@Read"

regards
guzzisti

I’m having the same issue here. I’m on the latest firmware and essentially group access is useless. Any thoughts?

Hi,

my support request has been answered a few weeks after my post. Basically it was about resetting the device to factory default and try again or sending in detailed error logs from the device.
To be honest, i gave up with wd support…

king regards
guzzisti

What I don’t understand is that the group feature was working fine for me until recently.

There are three of us in the household: me, my wife, and my daughter. We all have our user shares that we can access. I also created a share for our finances which I had not given any of the three users permissions access to. However, I created a group for access to that share, and I joined my user and my wife’s user to that group. Everything was working fine. I and my wife could access the financial share even through our individual users did not have specific permission.

I only had one drive in My Cloud EX2. I bought another drive, and I changed the storage to RAID 0. I had backed up may data and saved the configuration prior to these changes. After the change to RAID 0 was done, the users were still there, but the shares were not; only the three default shares were there. I reloaded the configuration, but for some reason that didn’t work. In fact, no shares were available after that, even the default shares.

So, I added all the shares back and I could not access the shares. I couldn’t figure it out so I ended up doing a factory reset. I first did the quick one, created the users, groups, and shares, but I still could not access. Then I did a non-quick factory reset. I was still having the same problems.

After all of this, I finally figured out it was a problem with permissions. My user did not have permission to any of the shares that the group had permission for, and the group did not have access to any of the shares that my user had access to. Thus, I had no access to any private shares.

If I have to give my user permission to the same share that the group has permission to, then there is no reason to have groups! This is not right!

I think the problem here is that there are only three settings.

  • Read/Write (R/W)
  • Read Only (R)
  • Deny (D)

If the more restrictive permission always takes precedence (which I guess does make sense), then group access will never have any benefit in this case. For a user in a group to have a less restrictive permission as set by the group, then the user permission will also need to set at that level (or even less restrictive), making the use of the group pointless.

I think for the group access to truly work there needs to be another setting of something like “Not Set” (NS). This does not grant the user (or group) access nor does it deny access. In this case we could have something like

  • User1 which is a member of Group1
    • UserShare1: R/W
    • GroupShare1: NS
  • Group1 which has a member of User1
    • UserShare1: NS
    • GroupShare1: R/W

This way User1 will have R/W access to both UserShare1 and GroupShare1. I think this is what most users are expecting to accomplish when they are setting group access on the WD NAS.

How do we get WD to fix this?

Hi,

i made the same conclusions as you why group access does not work, but i have no clue how to tell WD what to do to make it right.
I´m a software developer and have some experience in describing software issues, so i sent them a rather detailed support case with extracts of smb.conf. They told me to reset the unit and sent in detailed system logs. Guess they never even tried to reproduce the issue for themselves.

I´m not going to betatest for WD any longer.

kings regards
guzzisti

Is this problem solved?

This does not make any sense, its seems that the permission from the users surpass de group permissions.

Why do we need the groups after all?

I contacted WD support about this issue. Someone worked with me on the issue. After a thorough discussion the technician helping me checked with the engineering team, and it turns out that permissions are always set in the most restrictive manner. I.e., for a user to have a permission to a share, the permission must be granted on the user’s account and all groups that the user belongs to for that share.

It doesn’t really make sense. The only reason to add a user to a group would be to remove permissions from a share. But then why grant permission to the user’s account in the first place? Unless many users have access to a particular share, and you want to remove access in a simple way, you could add all users to a group, and remove the permission from the group. However, if any users are ever removed from that group, they may have access once again to the share if their user accounts have permission.

A device like this should not be a business-level solution. This is a good device for home use to manage a small to medium network. As such, having the permissions set as the most restrictive as possible does not benefit the user. Based on these setting, I will never have a use case where I will use groups.

The sad truth is that many years ago, it did work as expected, which set the least restrictive settings: if I added users to a group, and the group had permission to access the share, all users in the group would be able to access the share. At some point, the device was updated, and now it is not beneficial.