How to Use Windows ACL to Manage User Permissions on the QNAP NAS

I – What is Windows ACL?

II – About ACL Permissions

III – How to Enable ACL on Qnap;

IV – ACL Permission Configration

I – What is Windows ACL?

ACLs, or Access Control List is a security concept, where a list of individual users or groups can have specific access to certain actions to a file. An example would be in respect to the above overview image, where the accountant can have write access to update the file. The sales manager can review the file, and other users are denied access.

Windows ACL allows the QNAP NAS administrator to configure file and folder permissions for the local and domain users on the NAS from Windows Explorer. The administrator can add, modify, and remove Windows ACL permissions of the NAS on Windows XP, Vista, Windows 7, Windows Server 2003, and Windows 2008.

II – About ACL Permissions

Permission Description
Traverse Folder/Execute File For folders: Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. (Applies to folders only.) Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.)

For files: Execute File allows or denies running program files. (Applies to files only).

Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder.

List Folder/Read Data List Folder allows or denies viewing file names and subfolder names within the folder. List Folder only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed. (Applies to folders only.)

Read Data allows or denies viewing data in files. (Applies to files only.)

Read Attributes Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS.
Read Extended Attributes Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
Create Files/Write Data Create Files allows or denies creating files within the folder. (Applies to folders only).

Write Data allows or denies making changes to the file and overwriting existing content. (Applies to files only.)

Create Folders/Append Data Create Folders allows or denies creating folders within the folder. (Applies to folders only.)

Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data. (Applies to files only.)

Write Attributes Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.

The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete.

Write Extended Attributes Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.

The Write Extended Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete.

Delete Subfolders and Files Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. (Applies to folders.)
Delete Allows or denies deleting the file or folder. If you do not have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.
Read Permissions Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write.
Change Permissions Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write.
Take Ownership Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.
Synchronize Allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multithreaded, multiprocess programs.
noteNote
You will not be able to access an encrypted file without the Encrypting File System (EFS) key, even if you have the necessary permissions.

III – How to Enable ACL on Qnap;

Note: The QNAP NAS firmware must be v3.7.0 or above.

This application note will guide you to:

Enable Windows ACL

Login the NAS as “admin”. Go to “Access Rights Management” > “Share Folders” > “Advanced Options”, select “Enable Windows ACL Support” and click “Apply”.

Note: When Windows ACL is enabled while Advanced Folder Permissions are disabled, the file and folder permissions will only apply to Samba service. To apply the permission settings to Samba, FTP, AFP, and Web File Manager, please also enable “Advanced Folder Permissions”.

IV – ACL Permission Configration

Configure Basic Permissions

Open Windows Explorer and connect to the NAS via Samba. Right click a shared folder and select “Properties”. Under the “Security” tab are the permission settings. Click “Edit”.

Select a user name (NAS local or domain user). Modify the permissions for the user and click “Apply”.

Configure Advanced Permissions

To configure advanced permissions, right click a shared folder and select “Properties”. Click “Advanced” under the “Security” tab.

Click “Change Permissions”.

Click “Edit” to configure the advanced permissions. Modify the permission settings and click “Apply”.

Calculate Effective Permissions

To calculate the effective permissions of a user account, right click a shared folder and select “Properties”. Click “Advanced” under the “Security” tab.

Select the “Effective Permissions” tab. Under “Group or user name” click “Select”; input a user or group name. Click “OK”.

The effective permissions of the user or group will be shown.

Transfer Files from a Windows Server to the NAS

After enabling Windows ACL, users can transfer the files from a Windows server to the NAS, keeping the file ACL permissions. A third party software is required. The freeware “Fastcopy” will be used as an example. For more information about Fastcopy, please visit http://ipmsg.org/tools/fastcopy.html.en

    1. Login the Windows Server with an administrator account. Connect to a shared folder of the NAS and map it as a network drive. Here we assign a drive name Z: as an example.

  1. Launch Fastcopy.
  2. Specify the source directory in “Source” and the NAS folder (drive Z) as the destination directory in “DesDir”. Please remember to enable the ‘ACL’ option to allow the NAS to inherit the ACL permissions from the Windows Server.
  3. Click “Execute” to start the replication job.

Please note that the permissions inherited from the root folder could become explicit permissions. After finishing the data transfer, check the permission settings on Windows,

VN:F [1.9.22_1171]
Rating: 8.6/10 (7 votes cast)
VN:F [1.9.22_1171]
Rating: +2 (from 2 votes)
How to Use Windows ACL to Manage User Permissions on the QNAP NASMicrosoft ACL İle Kullanıcı Hakları Tanımlama, 8.6 out of 10 based on 7 ratings

6 Responses to How to Use Windows ACL to Manage User Permissions on the QNAP NAS

  1. Pingback: How To Fix Dropbox Error 509 Bypass in Windows

  2. Joao says:

    I have a problem. ACL is enabled but users can’t delete any file created by themselves on a folder where they have Modify rights. Windows ask’s for NAS\user permission. The nas\user has r/w attributes. Why is windows asking for nas\rights when acl is on ? How to solve this ?

  3. Frank says:

    Windows ACL support on QNAP doesn’t work.
    As soon as that is enable I can no longer connect the share folder with the error “The network name cannot be found”. Tried with the IP and HOSTNAME.
    The permission are set properly on the shared folder, it just doesn’t work…

  4. Gabriel Guedes says:

    When using Domain Groups users of group can’t access. FW 4.2.0

    If use direct user on permissions it’s ok.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>