How to lock an admin from changing dataset permissions?

[Julien9]

I just started out with TrueNAS Scale, so perhaps I'm just missing something obvious. But: how do I restrict the admin from editing permissions of a certain dataset?

Let me describe the situation in more detail.
I have a system wherein each user has their own personal space for storing their data. I want to restrict access to this data for anyone without permission. That part goes okay. I set up the user as the owner of the dataset, delete all other permissions and we're done. Other users cannot access the data, even with the admin credentials.
However, I could still, theoretically, change these permissions in the future and give a new user access to another user's personal dataset. My users want assurance that the admin cannot simply open up their files to another user without their consent.
Is there some way in which to set this up?

Any help is much appreciated. I've been slamming my head against this for the better part of the day by now, and I cannot seem to find any documentation on this use case.

Thanks,
Julien

 

[jgreco]

However, I could still, theoretically, change these permissions in the future and give a new user access to another user's personal dataset. My users want assurance that the admin cannot simply open up their files to another user without their consent.
Is there some way in which to set this up?

No. By definition, an administrator has the ability to set policy on the system. You cannot prevent the administrator from doing the role the administrator is built for. At best, you could follow some multi key holder strategy to prevent access to the admin account without the consent of all users, but that's certainly not a feature built into the system.

 

[Julien9]

Thanks for the quick reply! I appreciate it.
Too bad that this is not possible. I'll have to think of another solution, then.

 

[2twisty]

You're going to have a hard time finding that solution. By its very definition, and admin is GOD on the system. Someone has to be.

 

[Julien9]

Thanks for answering. I indeed haven't had any luck finding anything like it. Guess they'll just have to live with it XD

 

[victort]

I’ve run into this scenario, running a Nextcloud instance for 10 users and growing…

Even with the plug-in, (which you shouldn’t use) you can still view any file on the system.

This I’m sure is where integrity and trust play a huge part. And probably why there are so many laws regarding these things about privacy and so forth…

 

[danb35]

Even with the plug-in, (which you shouldn’t use) you can still view any file on the system.

If "you" is the admin, yes, that's the case. Nextcloud has the end-to-end encryption setting, which will avoid this, but it introduces other issues (mainly, as far as I recall, that you can't access encrypted files through the web UI). But otherwise, as Pitr said,

 

[Julien9]

This I’m sure is where integrity and trust play a huge part. And probably why there are so many laws regarding these things about privacy and so forth…

Yeah, I'm thinking of just setting up some sort of data processing agreement for this.

If "you" is the admin, yes, that's the case. Nextcloud has the end-to-end encryption setting, which will avoid this, but it introduces other issues (mainly, as far as I recall, that you can't access encrypted files through the web UI).

Thanks for the suggestion. Encryption has its own risks which makes it a worse option for my use case.

I appreciate all the input, by the way :)

 

[jgreco]

Perhaps I shouldn't mention it, but BSD and therefore TrueNAS CORE does have the securelevel facility that can be used to set and lock permissions such as schg on directories and files, which prevents anyone, even root, from making changes while in multiuser mode. This means that you would need to go to singleuser mode to make any changes, which is typically somewhat onerous and also noticeable. It isn't exactly what you're asking for, but it may be the closest thing.

 

[Julien9]

Thanks for the tip! I'll look into that!