🚀 NAS – P4 Synology File Server Permissions Explained – Secure Data by Department

🔎 Introduction

In this part of the NAS series, we will clearly explain Synology File Server permissions and how to properly secure company data by department using DSM. Understanding permission structure is essential when deploying Synology NAS in a business environment, especially after joining the NAS to an Active Directory domain.

Incorrect permission configuration is one of the most common causes of data leaks and internal security incidents. This tutorial will help you design a clean, scalable, and secure permission model for departmental file sharing.

This guide is ideal for:

• IT administrators managing company file servers

• System engineers deploying Synology in production

• SMB businesses organizing department-based access

• Homelab users simulating enterprise infrastructure

🏗 Understanding Synology Permission Structure

Before assigning permissions, it is important to understand how Synology handles access control.

Synology DSM permissions are based on:

✔ User accounts
✔ Groups (Local or Domain)
✔ Shared Folder permissions
✔ Advanced ACL (Windows-style permissions)

When Synology is joined to Active Directory, you can assign permissions directly to Domain Users and Domain Groups, which is strongly recommended for scalability.

🏢 Recommended Enterprise Folder Structure

A clean and secure departmental structure typically looks like this:

Each department should have:

• Its own dedicated AD group

• Restricted access only to authorized members

• No permission overlap unless required

🔐 Step-by-Step: Secure Data by Department

🔹 Step 1: Create Department Groups (Active Directory Recommended)

On your Domain Controller, create security groups such as:

• HR_Group

• Accounting_Group

• Sales_Group

• IT_Group

Add users to the appropriate department group.

Best practice: Never assign permissions directly to individual users.

🔹 Step 2: Create Shared Folders on Synology

Navigate to:

Control Panel → Shared Folder → Create

Create shared folders for each department:

• HR

• Accounting

• Sales

• IT

Enable Recycle Bin if required.

🔹 Step 3: Assign Basic Shared Folder Permissions

During folder creation or after:

Go to:

Control Panel → Shared Folder → Edit → Permissions

Assign:

• HR_Group → Read/Write on HR folder

• Accounting_Group → Read/Write on Accounting folder

• Sales_Group → Read/Write on Sales folder

• IT_Group → Full Control (if required)

Ensure other groups are set to:

❌ No access

This prevents cross-department data exposure.

🔹 Step 4: Configure Advanced Permissions (ACL)

For granular control:

Go to:

Shared Folder → Edit → Advanced Permissions

Enable Windows ACL support.

This allows:

✔ Inheritance control
✔ Subfolder-level restrictions
✔ File-level security
✔ Detailed audit configuration

Advanced ACL is recommended for enterprise deployments.

🛡 Security Best Practices

✔ Use Group-Based Permission Model

Always assign permissions to groups, not users. This simplifies management when employees join or leave.

✔ Apply Least Privilege Principle

Users should only have access to what they need.

Example:

• HR should not access Accounting

• Sales should not access HR documents

✔ Separate Management and User Access

Avoid using admin accounts for daily file operations.

Create:

• Admin group (for IT only)

• Department user groups

✔ Enable Audit Log

Go to:

Control Panel → Log Center

Enable file access logging for compliance tracking.

This helps monitor:

• Unauthorized access attempts

• File deletion events

• Permission changes

🌐 Testing Access from Windows Client

From a domain-joined Windows PC:

Open:

Log in using domain credentials.

Verify:

✔ HR users can access HR only
✔ Accounting users cannot access Sales
✔ IT admin can manage all departments

Testing is critical before production rollout.

⚠ Common Permission Mistakes

Avoid these common configuration errors:

❌ Assigning permissions to individual users
❌ Leaving “Users” group with Read access
❌ Forgetting to remove inherited permissions
❌ Mixing local users and domain users inconsistently

A clean permission model prevents future complexity.

🏁 Conclusion

Properly configuring Synology File Server permissions is essential for securing departmental data in any organization.

By implementing:

• Active Directory group-based access

• Structured shared folders

• Advanced ACL configuration

• Least privilege principle

You create a scalable, secure, and enterprise-ready NAS environment.

This approach ensures:

✔ Data isolation by department
✔ Reduced risk of internal data leaks
✔ Simplified user lifecycle management
✔ Compliance-ready logging and auditing

In the next part of this NAS series, you can further enhance security by implementing quota management, snapshot protection, or backup policies.