Colliding ACL rules when user is in multiple groups

[SimJoSt]

We use ACLs for a group folder. This folder is available to multiple groups. Some users are in multiple of those groups.

Some folders have ACL permissions set to prevent one user group to access it, while the other group should still be able to access it, as inherited from the folder above it.
The users in multiple of the groups now don't have access to this specific folder.

Do this permissions work in an "and" or an "or" way? And can the behaviour be changed?

[icewind1991]

If a user has multiple ACL rules matching for a single folder they work in an "or" way (so "allow" overwrites "deny")

[ChrissW-R1]

If a user has multiple ACL rules matching for a single folder they work in an "or" way (so "allow" overwrites "deny")

That is not right. We have a setting, in which the user is in different groups, with colliding permissions. And the users don't have allowed permissions.

We use this structure:
root
├─┬─ company_a
│ ├─ department_a1
│ └─ department_a2
├─┬─ company_b
│ ├─ department_b1
│ ├─ department_b1
│ └─ department_b3
└─┬─ company_c
└─ department_c1

Everyone employee should be able to read only everything in his company share. But rights to write should only enabled for the department folder(s), of the assigned department(s) the user is a member of.

Sure it is possible, that we configured something wrong, but we have no idea what. Any tips?

[putt1ck]

I've just worked through this for a customer so hopefully this will help:

at groupfolder level grant to the relevant groups the maximum permission the organisation would ever want members of that group to have in the groupfolder (where groupfolder means everything within it, whether subfolders or files, no matter how many levels of subfolders are intended);
with the share tab of the groupfolder (as a user in a group with permission to use advanced permissions) add any additional restrictions you want at that level e.g. in a scenario for company information you probably want only a few individuals to create new subfolders, so you grant them those permissions and then add rules for the groups to restrict to read only;
then on the desired subfolders add rules to grant back permissions to users or groups as needed and so on down the tree.

NB when a user is in more than one group where one has more relaxed permissions then you need a rule for both groups.

[fschrempf]

It sounds like this is the problem also described in #1212. A potential fix is in #1654. Please confirm that this would fix the issue. If possible, test/review the mentioned PR.

Even without this PR the workflow described by @putt1ck above works fine. It's not really intuitive and straightforward, though.

[fschrempf]

If a user has multiple ACL rules matching for a single folder they work in an "or" way (so "allow" overwrites "deny")

Yes, but this should also apply to inherited permissions from a parent folder, which is currently not the case and causes a lot of confusion and extra rules needed. The rules should be inherited per user/group. See #1654 for a solution.

[rubentolosa]

I'm in Nextcloud 26 and Group folders 14.0.3 and I think I'm facing the same bug.

If I give advanced permissions (write) in a folder to a user that already is in a group without write permissions, he can write to that folder and "see" that has permissions inherited on subfolders. But it is not true, subfolders are not writtable for him.