Nextcloud supports accessing, modifying, and managing your files in multiple ways. Anyone who has used Nextcloud have most likely become acquainted with the user-friendly and intuitive web-interface.
Regular users might also have used the Nextcloud client for either Android, iOS or the Desktop client for any of the supported operating systems. The Nextcloud client allows any user to synchronise files locally and manage them completely offline. Whenever the device with the client installed is reconnected to the internet, the changed, deleted, or new files are synchronised to the Nextcloud server. This approach is advantageous in environments where the users are forced to go offline for a period of time, e.g. due to of low signal, for security reasons, or power outages.
If signal is not a concern, but storing files away from the Nextcloud server is, users may also use the Web Distributed Authoring and Versioning (WebDAV) protocol. As an extension to the HTTP protocol, it allows a user to mount the folder directly on the client in order to access and modify contents directly. This method of authoring files is advantagous in settings where content is required to be edited locally, but files not to be permanently stored on the client.
Organisations may have multiple reasons to prefer one method of authoring files over the other. Maybe an organisation wants to disallow the use of Nextcloud-clients, to prevent locally stored data in cases of lost or stolen devices. Or maybe a department requires editing files locally while not connected to the network. Maybe an organisation sees no reason for users to use neither the Nextcloud-client nor WebDAV mounts as a Nextcloud Office server is available for employees to use. The good news is that a complex customized setup of access methods and restrictions is available in Nextcloud.
Using the Nextcloud application "File access control", an organisation can set specific limits and permissions based on IP addresses, group memberships, file names, file sizes, file MIME types, time periods and URL patterns.
Let's consider a case of an Organisation wanting to disallow the usage of the Nextcloud-clients in order to prevent employees synchronising company data to their private devices. However, they need a specific department to be able to use the Nextcloud-client for creating, editing and managing files offline.
There are multiple ways to achieve this with the "File access control" application, but in case of a large organisation, directory hierachy is most likely synchronised from an employee database or group memberships are provided in claims from their Identity Provider. With this in mind, an administrator could set up a "Block access to a file"-flow from within "Administration Settings -> Flow", dictating that if the request User-Agent matches the the User-Agent from a Desktop-client as well as the user requesting the file not being a member of a certain group, file access should be blocked. Additionally, an administrator could create flows restricting access to files from Android and iOS clients as well.
Another example could be to limit WebDAV mounts to organisation devices only. Such could be achieved by limiting the access to WebDAV URL's to a certain IP scope. Both rules are shown in the image below. The wide available combination of different criterias and rules permits organisations to enhance the security of their Nextcloud installation to fit their specific needs.
0 Comments
Read - Add comment