 Okay, there always seems to be a lot of confusion around how permissions work in FreeNAS. So what I have here is a brand new clean load of FreeNAS. I just logged into it, haven't even set up the drives yet, and I wanted to walk you through how to set up a user, permissions, and the shares. So let's start with the basics here. We're going to go to account, users, add the user, and we're going to add the user Tom. Now the user names are not case sensitive when you log into Windows. They are case sensitive when you're adding permission, so that's something to think about when you're doing this. I'm going to go ahead and leave it lower case Tom, and then we'll set a password. All right, and then we'll leave everything else at default. There's nothing else we really need to do here. All right, the user's been added, and we're going over here to storage. As I said, I haven't even created anything yet, so we're just going to create a, we'll call it the drunk tank. All right, just basic RAIDs, and it really doesn't matter how you build your volume out. That doesn't make any difference on the permissions, not at this level. So now we're going to add the volume. All right, now we have a volume set, and we have the drunk tank here. So now the next thing to do, so we'll go here to create a data set. I'm sorry, we're going to create a data set for the share. So here's the data set. I'm going to call it Tom's and put some Zs after it, you know, because we can, Thomas share, Thomas shares. Everything else we're just going to leave at default. We're going to add the data set. Now we can click here to the data set, and now I want to change permission. So we go down here to the little key, and we see root owns this. We want to change it to Tom. Now this is where the case sensitivity comes in. If Tom was capitalized, it has to be capitalized here. If you were to type it in, if it's lowercase, it's got to be lowercase. So the most important part is that they match. We can leave the group at wheel that we're going to do groups next. First we just want to cover how to set up to the user, set up the permissions and get it going. Now we want the owner, as in Tom, the owner, to have read, write, and execute permissions. It's up to you if you want to give the group read, write, and permissions, like people that belong in the same group or other. For purposes of this, we're going to uncheck these to make sure we only have permissions for Tom. That way other users don't get to see inside this folder or anything else. You can't leave these at default, as long as you have the right username, password, they'll be able to do it. But this gives you an idea of how this works. Now if you had a bunch of folders you already created in that data set, and you create a bunch of folders, you may want to set this permissions recursively, which means pass these permissions on down the line. So here we are at Tom, default group wheel, which is fine. Set permissions recursively and hit change. Now that's owned by Tom and wheel as the group. Wheel is the default group for SMB services. So now we're going to go over here to sharing. Now, because this is brand new, I haven't enabled the sharing service, but it'll automatically enable it when we create a share. So we're going to add an SMB share, so Windows SMB, add Windows SMB share, browse, default is going to be mount, drunk tank, Tom's, because that's the permission one we want, and this is Tom's share. Now, I am going to go to advanced mode, not really to change any other settings, but to add a comment, I'm not sure why they put it under advanced, but the problem I have run into, just so you know, I have seen some devices such as scanners that like comments in there. If there's no comment, they just give an error and won't see the share. Windows doesn't seem to care. So if you're just doing this across Windows or Linux, it doesn't really seem to care, but it does care for some older devices, but it's nice to have comments, Tom's shares. And this is just a text comment, so when you're looking at it and list, you can see what's on there. We'll leave everything else at default, though. Hit OK. Would you like to enable the service? Yes. And all that did was come over here to the SMB under the services page and started the SMB service, and it checked the box for you, started boot. Could have done that ahead of time if you wanted to, but the nice thing is Freedance is smart enough to go, hey, you added the service, so I want to go ahead and enable it here. So now we can fire up Windows and we can get into that share. So let's move this out of the way and we're going to open up Windows. All right, so now we're in Windows and we're just going to go slash, slash. And I've got the drive, the saved, which is the 192.1683.144, which of course, this is the same IP address that we were logged in through Firefox here. So that's the IP address for Freedance. If you didn't notice that earlier, move that away. There's Tom's share. Now it prompts me for username password and I can't see anything in there without it. So we'll put in the username Tom and the password. Now, if I wanted to, I could save these credentials and it would let me in there. Had to type the password, right? So now I'm in here. Now I could have saved the credentials and it would have let me. The other option, if you don't want to save credentials, but you wanted to automatically have those shares, is you set the username on your computer to be the same, which this one happens to have the username of Tom's. I could create a username and a password on this system and it matches the same username and password on Freedance and it'll log in without prompting me. So that's another option. Now the other thing you can do is when you're mapping a network drive, for example, right click map network drive, I can say connect using different credentials and then use a different credential set when you log on to the air and windows. But that's all you have to do to get the share permissions to work and get read write access going. Just a few steps that we did there. Test, oops. Test folder and then we can even drag things over here. Copy them in. It's all full read write permissions. Now let's go to the next step. Let's say we wanted a wide open share as they call it. And maybe you're not worried about something happening in your networking, you want a no permissions wide open everything share. So we're going to go back over here to our Freedance box. We'll start at the storage. We're going to add a new data set. Call it share all the things. Share all the things. And we leave everything else the same. Add data set. Now we're going to do something a little bit different permissions because we want it to be everyone share. Now I'm going to change these two. Let me just delete this out to nobody. And then we'll change this one to nobody. And make sure we have all the permissions checked. So everything's wide open on this. We'll leave the set recursively change. Now the reason we did nobody is because, and let's go over here to our services. And we're going to go to our SMB service. And you're going to see that the guest account is nobody. So when we go here to create the share, sharing, window share, add windows SMB share, prompt. This is share all the things. The share name will be just be share all things. Now we're going to go to advance mode. And we're going to check. We're going to do a comment. So I like the comments in there. We'll put spaces and comments. And we have allow guest access, only allow guest access. What that means is don't log anything. Don't ask for a username. Don't ask for a password. Don't ask for permissions. If they can see the share, they can get into the share. So it's basically a wide open share. So let me get this out of the way. And I'm logged in. So I'm going to log off just to clear the credentials. Oh, by the way, if you're having trouble with windows, it remembers credentials until you log out. There might be some easier way to clear it. But that's a quick way to do it, to clear out any credentials for windows so it'll reprompt you. I'm sure there's a faster way, but that way works for me. So here's share all the things. And here's Tom's share. So we're not logged into Tom's share. Here's share all the things. And complete read write permissions in here. So drag things into it. No problem, just copy files, full open permissions. Now it may not be the best thing to have this, especially if there's a virus crawling around the network. It will allow anyone to get into this. It has a share, but if you need an open share for a reason, if you check the allow guest and always allow guest, it makes a wide open share instead of nobody does like we showed. So let's log in as Tom again. And I got to type my name right. Tom, all right. If you take the password wrong, you can't get in. So here's our Tom's share that we created. So that works perfectly fine. So let's create another share. Let's go over here, storage, create data set, company. So I'll make a business one here. So this is the company files, add data set. Now we're gonna pretend Tom's the president of the company. So we get Tom the permissions right here. So we wanna make sure that it's going to be group read write, no others for this one. So we're gonna do a company folders. We wanna store our company data in here. And we want groups to be able to access it, but we don't want everyone to be able to access it. So we'll go here, change. And now Tom owns that data set and we'll as a secondary. But let's go ahead to accounts, groups, and let's actually create a group. So we'll call it management. So we want the management group in here. So now we have this called management. And we're gonna go over to Tom. We're also gonna make sure he has the management group in here as well. So we added this to his user permissions, okay? And while we're here, we'll add another group. We're gonna create an, let's say accounting group or finance group. I like finance better. Sounds more professional. All right, so we have a management group and a finance group. So now we can go over here to storage and we'll make this one management. Key sensitive for those. Hit okay, we're set permission. Firstly, now we don't have to mess with this anymore on this side. Now we're gonna go ahead and create a share. Browse, mount, company. Company, we're not allowing guest access. So everything else is fine. I'm only gonna hit advanced to do this, company files. So we have a description of what that is. Hit okay. So now, let me go back over here. Thanks Windows for not refreshing. We'll just log on to Windows real quick and it'll refresh. It'll show up eventually. Windows takes a little bit of time to do this, but logging it out forces it. So if you ever wonder why your share doesn't show up, this is the process by which you can fix that. And there's the company share. All right, so I logged in with Tom. So I have share all the things, which is wide open. Here's Tom's share. Here's the company share. And Tom has read write permission. So I can create a finance folder. There's the finance folder, general files. And in general files, we'll just copy something in there. New, make a financial data. So whatever, this is our important numbers file, company numbers and real important stuff. Yep, we'll save it. And it's saved right here. So now we have this fancy spreadsheet in here, which is the company files. Now here's where things get kind of fun. We're gonna start playing with the permissions and setting who can get in there. So we want everyone to get into general files and things inside the company, but we don't want everyone to get into finance. We only want people with the finance permission to get into finance. And remember, we created a group called finance. So let's show you how that actually plays out. Account, users, add user. Bob, it's easy to spell. Bob, give Bob a password. Bob belongs to management. Don't save. So now we've just created Bob, and we'll look at Bob again here. And he belongs to the management group, but he does not belong to the finance group. So the idea is, Bob is gonna be able to access one without accessing the other. We're gonna give him to the general, but not into everything. And the way we're going to achieve that is by setting the permissions inside the folder. And now this can be done from the command line. You can SSH in and do it. And you can set permissions and groups. That's one way to do it. We'll start with that way, because it's pretty easy. We gotta go turn on, go to services, SSH. And I wanna be able to log in as root. So hit okay, start on boot, start now. All right, SSH is up and running. Now, so we can go to here to mount, company. And there's our finance and general files. So let's go over here to windows. And we're gonna log in as Bob. So log off, company, Bob. We log in. Now right now, Bob can see the financial data and see the general files. That's not exactly what we want. We want Bob to only be able to see the general files, but not the finance. This is how we facilitate that. So we can see the owners. So we get Tom management, Tom management. So now we want to change this owner from Tom management and finance to Tom finance. Now I have the folder the same name as a group, but you can see finance is the group name, dash R recursively. And now we do this. And now it's Tom and finance. All right, so one more step after this, we've now created the group finance and we've recursively set finance be finance, but we have all the permissions here. We don't want all the permissions there. So now we have to change the permissions because the group still has access to this. And we don't want the other groups to have access to that. So now we've taken away the group permissions. So Tom, finance, group permissions are gone. Here's the permissions for it. So now Bob shouldn't have access to this file. And he doesn't. We can no longer see into those files. You don't have to log in and out for the permissions because it's still using Bob's credentials. We just blocked Bob from me and we'll go in there. Now that may seem a little tricky and you're going Tom, I don't want to have to deal with permissions and I don't remember 770 and 740 and all the permissions. Good news, there's an easier way. I just wanted to show you can do it that way or you can do it this way. Company, finance, properties. And you can do it through. This is WinSCP, free download, connect it there. And what you do when you want to change this is you can pull down the group IDs. I can type in 102 or it looks them up and goes, hey, this was management. And I can just quickly change permissions back and forth. And then I can sit at the group, any other, and to rewrite it. So I've got the owners here. I got the group rights here and the other rights here. And we took away the other rights. If I put them back on and we set it recursively. So we've just now reset that. Bob gets access again. So we'll put them back so we have properties and we don't want other people. So only people who belong to the group finance or are the owner, Tom, can get into this. We'll set that recursively. Once again, Bob doesn't have access. Now, what if Bob gets a promotion back to management? Well, we just do this. Where it gets a promotion, it allows them access to finance. So we go to account, users. Here, Bob, scroll down, finance. Add, hit OK. There's Bob's promotion. You got promoted to be able to go into finance. Move that out of the way. Now, this is where Windows gets stupid because it's decided that I know you gave permission but I'm not gonna let you do it. When it decides to do that, just log off and log back in. I'm not sure what causes Windows. Now it doesn't do it consistently. We did it now, which is great because it did it for the video. I've seen it do this. Now, with Active Directory, there's more communication going back and forth and I know with Active Directory it works fine but when you're doing this inside of here, with a free NAS back end, with no Active Directory, we did nothing other than log out. Did this all in real time? Log out, log back in and it works perfectly fine. I don't know because obviously we're changing permissions and it did work. This is kind of a bug in Windows. Once it decides there's no permissions for something, sometimes it gets it stuck, cached and go I don't have permission and I'm gonna tell you that you have no permission for this. Logging in and out fixes it perfectly fine so if you're beating your head against a wall, as I had stated earlier, logging in out of Windows. But Bob's promotion gets him access to finance and now he's in again, simple as that. So that's kind of the permissions in a nutshell. You can get complicated because you can add, you can create different groups for every folder and then you can have people belong to as many groups as you want or have their own shares and because Bob does not have access to this, we only granted Bob permission for management to get him here. He does not have the access that Tom has over here. So you can delegate out all your folders with different users, different permissions. They can't see each other and it works perfectly fine. So hopefully this was a clarification on how some of the permissions work in here and how easy it is to use WinSCP to change those permissions. And just for an example, we'll actually go back here to Tom's. And Bob belongs to management. So let's actually change the Tom's folder to management here. And now Bob gets into the Tom's share, just like that. So it's not that hard to do the permissions. It's a little bit confusing at first, but once you start going through here and understanding how they were set up and how we created these groups and how we put those users in those groups, so Bob's part of this, that's how the permissions work here in FreeNAS. So hopefully it's a good clarification that will get you started and get you going. We've actually have a few clients we've deployed with FreeNAS at the back end and they've set up a whole hierarchy of all their groups and users and permissions on the folders and they don't have an Active Directory server. They just use this with the, it is a smaller office and this works fine for them without having to put an entire Active Directory server. They just have a couple of different groups. They have an engineering group and an accounting group and they want the files separate on one server. It's easy enough to do on here. You create the groups for each person and there's the couple of management team are in both groups so they can see both shares. Really straightforward and simple. So hopefully this is a good overview and helpful if I missed something or I need clarification or I need another video to show you some of the more advanced stuff or there's some question you have on this. Let me know in the comments below. If you like the content here, like, subscribe. Thank you very much.